Weekly Vulnerabilities Reports > August 14 to 20, 2023
Overview
484 new vulnerabilities reported during this period, including 92 critical vulnerabilities and 147 high severity vulnerabilities. This weekly summary report vulnerabilities in 1835 products from 221 vendors including Google, Fedoraproject, Broadcom, Debian, and Cisco. Vulnerabilities are notably categorized as "Cross-site Scripting", "Out-of-bounds Write", "SQL Injection", "Command Injection", and "Path Traversal".
- 366 reported vulnerabilities are remotely exploitables.
- 2 reported vulnerabilities have public exploit available.
- 188 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
- 284 reported vulnerabilities are exploitable by an anonymous user.
- Google has the most reported vulnerabilities, with 62 reported vulnerabilities.
- Broadcom has the most reported critical vulnerabilities, with 11 reported vulnerabilities.
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
EXPLOITABLE
EXPLOITABLE
AVAILABLE
ANONYMOUSLY
WEB APPLICATION
Vulnerability Details
The following table list reported vulnerabilities for the period covered by this report:
92 Critical Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2023-08-20 | CVE-2023-4438 | Inventory Management System Project | SQL Injection vulnerability in Inventory Management System Project Inventory Management System 1.0 A vulnerability has been found in SourceCodester Inventory Management System 1.0 and classified as critical. | 9.8 |
2023-08-20 | CVE-2023-4440 | Free Hospital Management System FOR Small Practices Project | SQL Injection vulnerability in Free Hospital Management System for Small Practices Project Free Hospital Management System for Small Practices 1.0 A vulnerability was found in SourceCodester Free Hospital Management System for Small Practices 1.0. | 9.8 |
2023-08-20 | CVE-2023-4436 | Inventory Management System Project | SQL Injection vulnerability in Inventory Management System Project Inventory Management System 1.0 A vulnerability, which was classified as critical, has been found in SourceCodester Inventory Management System 1.0. | 9.8 |
2023-08-20 | CVE-2023-4437 | Inventory Management System Project | SQL Injection vulnerability in Inventory Management System Project Inventory Management System 1.0 A vulnerability, which was classified as critical, was found in SourceCodester Inventory Management System 1.0. | 9.8 |
2023-08-20 | CVE-2022-24989 | Terra Master | Injection vulnerability in Terra-Master Terramaster Operating System TerraMaster NAS through 4.2.30 allows remote WAN attackers to execute arbitrary code as root via the raidtype and diskstring parameters for PHP Object Instantiation to the api.php?mobile/createRaid URI. | 9.8 |
2023-08-18 | CVE-2023-40174 | Fobybus | Insufficient Session Expiration vulnerability in Fobybus Social-Media-Skeleton Social media skeleton is an uncompleted/framework social media project implemented using a php, css ,javascript and html. | 9.8 |
2023-08-18 | CVE-2023-40175 | Puma | HTTP Request Smuggling vulnerability in Puma Puma is a Ruby/Rack web server built for parallelism. | 9.8 |
2023-08-18 | CVE-2023-4414 | Byzoro | Command Injection vulnerability in Byzoro Smart S85F A vulnerability was found in Byzoro Smart S85F Management Platform up to 20230807. | 9.8 |
2023-08-18 | CVE-2023-4412 | Totolink | OS Command Injection vulnerability in Totolink Ex1200L Firmware 9.3.5U.6146B20201023 A vulnerability was found in TOTOLINK EX1200L EN_V9.3.5u.6146_B20201023 and classified as critical. | 9.8 |
2023-08-18 | CVE-2023-4410 | Totolink | OS Command Injection vulnerability in Totolink Ex1200L Firmware 9.3.5U.6146B20201023 A vulnerability, which was classified as critical, was found in TOTOLINK EX1200L EN_V9.3.5u.6146_B20201023. | 9.8 |
2023-08-18 | CVE-2023-4411 | Totolink | OS Command Injection vulnerability in Totolink Ex1200L Firmware 9.3.5U.6146B20201023 A vulnerability has been found in TOTOLINK EX1200L EN_V9.3.5u.6146_B20201023 and classified as critical. | 9.8 |
2023-08-18 | CVE-2023-4407 | Credit Lite Project | SQL Injection vulnerability in Credit Lite Project Credit Lite 1.5.4 A vulnerability classified as critical was found in Codecanyon Credit Lite 1.5.4. | 9.8 |
2023-08-18 | CVE-2023-32626 | Elecom | Unspecified vulnerability in Elecom Lan-W300N/Pr5 Firmware and Lan-W300N/Rs Firmware Hidden functionality vulnerability in LAN-W300N/RS all versions, and LAN-W300N/PR5 all versions allows an unauthenticated attacker to log in to the product's certain management console and execute arbitrary OS commands. | 9.8 |
2023-08-18 | CVE-2023-35991 | Elecom | Unspecified vulnerability in Elecom products Hidden functionality vulnerability in LOGITEC wireless LAN routers allows an unauthenticated attacker to log in to the product's certain management console and execute arbitrary OS commands. | 9.8 |
2023-08-18 | CVE-2023-39454 | Elecom | Classic Buffer Overflow vulnerability in Elecom products Buffer overflow vulnerability in WRC-X1800GS-B v1.13 and earlier, WRC-X1800GSA-B v1.13 and earlier, and WRC-X1800GSH-B v1.13 and earlier allows an unauthenticated attacker to execute arbitrary code. | 9.8 |
2023-08-18 | CVE-2023-40069 | Elecom | OS Command Injection vulnerability in Elecom products OS command injection vulnerability in ELECOM wireless LAN routers allows an attacker who can access the product to execute an arbitrary OS command by sending a specially crafted request. | 9.8 |
2023-08-18 | CVE-2023-39665 | Dlink | Classic Buffer Overflow vulnerability in Dlink Dir-868L Firmware 1.12Eumulti20170316 D-Link DIR-868L fw_revA_1-12_eu_multi_20170316 was discovered to contain a buffer overflow via the acStack_50 parameter. | 9.8 |
2023-08-18 | CVE-2023-39666 | Dlink | Classic Buffer Overflow vulnerability in Dlink Dir-842 Firmware 1.05B02 D-Link DIR-842 fw_revA_1-02_eu_multi_20151008 was discovered to contain multiple buffer overflows in the fgets function via the acStack_120 and acStack_220 parameters. | 9.8 |
2023-08-18 | CVE-2023-39667 | Dlink | Classic Buffer Overflow vulnerability in Dlink Dir-868L Firmware 1.12Eumulti20170316 D-Link DIR-868L fw_revA_1-12_eu_multi_20170316 was discovered to contain a buffer overflow via the param_2 parameter in the FUN_0000acb4 function. | 9.8 |
2023-08-18 | CVE-2023-39668 | Dlink | Classic Buffer Overflow vulnerability in Dlink Dir-868L Firmware 1.12Eumulti20170316 D-Link DIR-868L fw_revA_1-12_eu_multi_20170316 was discovered to contain a buffer overflow via the param_2 parameter in the inet_ntoa() function. | 9.8 |
2023-08-18 | CVE-2023-39670 | Tenda | Classic Buffer Overflow vulnerability in Tenda AC6 Firmware 15.03.05.16 Tenda AC6 _US_AC6V1.0BR_V15.03.05.16 was discovered to contain a buffer overflow via the function fgets. | 9.8 |
2023-08-18 | CVE-2023-39671 | Dlink | Classic Buffer Overflow vulnerability in Dlink Dir-880L A1 Firmware 107Wwb08 D-Link DIR-880 A1_FW107WWb08 was discovered to contain a buffer overflow via the function FUN_0001be68. | 9.8 |
2023-08-18 | CVE-2023-39672 | Tenda | Classic Buffer Overflow vulnerability in Tenda Wh450A Firmware 1.0.0.18 Tenda WH450 v1.0.0.18 was discovered to contain a buffer overflow via the function fgets. | 9.8 |
2023-08-18 | CVE-2023-39673 | Tenda | Classic Buffer Overflow vulnerability in Tenda Ac15 Firmware 15.03.05.18 Tenda AC15 V1.0BR_V15.03.05.18_multi_TD01 was discovered to contain a buffer overflow via the function FUN_00010e34(). | 9.8 |
2023-08-18 | CVE-2023-39674 | Dlink | Classic Buffer Overflow vulnerability in Dlink Dir-880L A1 Firmware 107Wwb08 D-Link DIR-880 A1_FW107WWb08 was discovered to contain a buffer overflow via the function fgets. | 9.8 |
2023-08-17 | CVE-2023-39970 | Acyba | Unrestricted Upload of File with Dangerous Type vulnerability in Acyba Acymailing Starter Unrestricted Upload of File with Dangerous Type vulnerability in AcyMailing component for Joomla. | 9.8 |
2023-08-17 | CVE-2023-36845 | Juniper | Unspecified vulnerability in Juniper Junos A PHP External Variable Modification vulnerability in J-Web of Juniper Networks Junos OS on EX Series and SRX Series allows an unauthenticated, network-based attacker to remotely execute code. Using a crafted request which sets the variable PHPRC an attacker is able to modify the PHP execution environment allowing the injection und execution of code. This issue affects Juniper Networks Junos OS on EX Series and SRX Series: * All versions prior to 20.4R3-S9; * 21.1 versions 21.1R1 and later; * 21.2 versions prior to 21.2R3-S7; * 21.3 versions prior to 21.3R3-S5; * 21.4 versions prior to 21.4R3-S5; * 22.1 versions prior to 22.1R3-S4; * 22.2 versions prior to 22.2R3-S2; * 22.3 versions prior to 22.3R2-S2, 22.3R3-S1; * 22.4 versions prior to 22.4R2-S1, 22.4R3; * 23.2 versions prior to 23.2R1-S1, 23.2R2. | 9.8 |
2023-08-17 | CVE-2023-26469 | Jorani | Path Traversal vulnerability in Jorani 1.0.0 In Jorani 1.0.0, an attacker could leverage path traversal to access files and execute code on the server. | 9.8 |
2023-08-17 | CVE-2023-2917 | Rockwellautomation | Path Traversal vulnerability in Rockwellautomation Thinmanager Thinserver 13.1.0 The Rockwell Automation Thinmanager Thinserver is impacted by an improper input validation vulnerability. Due to an improper input validation, a path traversal vulnerability exists, via the filename field, when the ThinManager processes a certain function. | 9.8 |
2023-08-17 | CVE-2023-34215 | Moxa | Command Injection vulnerability in Moxa Tn-5900 Firmware 3.1/3.2/3.3 TN-5900 Series firmware versions v3.3 and prior are vulnerable to the command-injection vulnerability. | 9.8 |
2023-08-17 | CVE-2023-40252 | Genians | Code Injection vulnerability in Genians Genian NAC and Genian Ztna Improper Control of Generation of Code ('Code Injection') vulnerability in Genians Genian NAC V4.0, Genians Genian NAC V5.0, Genians Genian NAC Suite V5.0, Genians Genian ZTNA allows Replace Trusted Executable.This issue affects Genian NAC V4.0: from V4.0.0 through V4.0.155; Genian NAC V5.0: from V5.0.0 through V5.0.42 (Revision 117460); Genian NAC Suite V5.0: from V5.0.0 through V5.0.54; Genian ZTNA: from V6.0.0 through V6.0.15. | 9.8 |
2023-08-17 | CVE-2023-33238 | Moxa | Command Injection vulnerability in Moxa Tn-4900 Firmware and Tn-5900 Firmware TN-4900 Series firmware versions v1.2.4 and prior and TN-5900 Series firmware versions v3.3 and prior are vulnerable to the command injection vulnerability. | 9.8 |
2023-08-17 | CVE-2023-33239 | Moxa | Command Injection vulnerability in Moxa Tn-4900 Firmware and Tn-5900 Firmware TN-4900 Series firmware versions v1.2.4 and prior and TN-5900 Series firmware versions v3.3 and prior are vulnerable to the command injection vulnerability. | 9.8 |
2023-08-17 | CVE-2023-34213 | Moxa | Command Injection vulnerability in Moxa Tn-5900 Firmware 3.1/3.2/3.3 TN-5900 Series firmware versions v3.3 and prior are vulnerable to command-injection vulnerability. | 9.8 |
2023-08-17 | CVE-2023-34214 | Moxa | Command Injection vulnerability in Moxa Tn-4900 Firmware and Tn-5900 Firmware TN-4900 Series firmware versions v1.2.4 and prior and TN-5900 Series firmware versions v3.3 and prior are vulnerable to the command-injection vulnerability. | 9.8 |
2023-08-16 | CVE-2023-38894 | Tree KIT Project | Unspecified vulnerability in Tree KIT Project Tree KIT A Prototype Pollution issue in Cronvel Tree-kit v.0.7.4 and before allows a remote attacker to execute arbitrary code via the extend function. | 9.8 |
2023-08-16 | CVE-2023-39846 | Pantsel | Improper Authentication vulnerability in Pantsel Konga 0.14.9 An issue in Konga v0.14.9 allows attackers to bypass authentication via a crafted JWT token. | 9.8 |
2023-08-16 | CVE-2023-4204 | Moxa | Use of Hard-coded Credentials vulnerability in Moxa Nport Iaw5000A-I/O Firmware NPort IAW5000A-I/O Series firmware version v2.2 and prior is affected by a hardcoded credential vulnerabilitywhich poses a potential risk to the security and integrity of the affected device. | 9.8 |
2023-08-16 | CVE-2023-39115 | Campcodes | Unrestricted Upload of File with Dangerous Type vulnerability in Campcodes Complete Online Matrimonial Website System Script 3.3 install/aiz-uploader/upload in Campcodes Online Matrimonial Website System Script 3.3 allows XSS via a crafted SVG document. | 9.8 |
2023-08-16 | CVE-2023-32493 | Dell | Unspecified vulnerability in Dell Powerscale Onefs Dell PowerScale OneFS, 9.5.0.x, contains a protection mechanism bypass vulnerability. | 9.8 |
2023-08-16 | CVE-2023-33663 | AI DEV | SQL Injection vulnerability in Ai-Dev Aicustomfee In the module “Customization fields fee for your store” (aicustomfee) from ai-dev module for PrestaShop, an attacker can perform SQL injection up to 0.2.0. | 9.8 |
2023-08-16 | CVE-2020-26037 | Evenbalance | Path Traversal vulnerability in Evenbalance Punkbuster 1.902 Directory Traversal vulnerability in Server functionalty in Even Balance Punkbuster version 1.902 before 1.905 allows remote attackers to execute arbitrary code. | 9.8 |
2023-08-15 | CVE-2023-39850 | Schoolmate Project | SQL Injection vulnerability in Schoolmate Project Schoolmate 1.3 Schoolmate v1.3 was discovered to contain multiple SQL injection vulnerabilities via the $courseid and $teacherid parameters at DeleteFunctions.php. | 9.8 |
2023-08-15 | CVE-2023-39851 | Webchess Project | SQL Injection vulnerability in Webchess Project Webchess 1.0 webchess v1.0 was discovered to contain a SQL injection vulnerability via the $playerID parameter at mainmenu.php. | 9.8 |
2023-08-15 | CVE-2023-39852 | Doctor Appointment System Project | SQL Injection vulnerability in Doctor Appointment System Project Doctor Appointment System 1.0 Doctormms v1.0 was discovered to contain a SQL injection vulnerability via the $userid parameter at myAppoinment.php. | 9.8 |
2023-08-15 | CVE-2023-38864 | Comfast | Command Injection vulnerability in Comfast Cf-Xr11 Firmware 2.7.2 An issue in COMFAST CF-XR11 v.2.7.2 allows an attacker to execute arbitrary code via the protal_delete_picname parameter in the sub_41171C function at bin/webmgnt. | 9.8 |
2023-08-15 | CVE-2023-38866 | Comfast | Command Injection vulnerability in Comfast Cf-Xr11 Firmware 2.7.2 COMFAST CF-XR11 V2.7.2 has a command injection vulnerability detected at function sub_415588. | 9.8 |
2023-08-15 | CVE-2023-38861 | Wavlink | Command Injection vulnerability in Wavlink Wl-Wn575A3 Firmware R75A3V1410220513 An issue in Wavlink WL_WNJ575A3 v.R75A3_V1410_220513 allows a remote attacker to execute arbitrary code via username parameter of the set_sys_adm function in adm.cgi. | 9.8 |
2023-08-15 | CVE-2023-38862 | Comfast | Command Injection vulnerability in Comfast Cf-Xr11 Firmware 2.7.2 An issue in COMFAST CF-XR11 v.2.7.2 allows an attacker to execute arbitrary code via the destination parameter of sub_431F64 function in bin/webmgnt. | 9.8 |
2023-08-15 | CVE-2023-38863 | Comfast | Command Injection vulnerability in Comfast Cf-Xr11 Firmware 2.7.2 An issue in COMFAST CF-XR11 v.2.7.2 allows an attacker to execute arbitrary code via the ifname and mac parameters in the sub_410074 function at bin/webmgnt. | 9.8 |
2023-08-15 | CVE-2023-38865 | Comfast | Command Injection vulnerability in Comfast Cf-Xr11 Firmware 2.7.2 COMFAST CF-XR11 V2.7.2 has a command injection vulnerability detected at function sub_4143F0. | 9.8 |
2023-08-15 | CVE-2023-4323 | Broadcom | Unspecified vulnerability in Broadcom Raid Controller web Interface 51.12.02779 Broadcom RAID Controller web interface is vulnerable to improper session management of active sessions on Gateway setup | 9.8 |
2023-08-15 | CVE-2023-4324 | Broadcom | Unspecified vulnerability in Broadcom Raid Controller web Interface 51.12.02779 Broadcom RAID Controller web interface is vulnerable due to insecure defaults of lacking HTTP Content-Security-Policy headers | 9.8 |
2023-08-15 | CVE-2023-4325 | Broadcom | Unspecified vulnerability in Broadcom Raid Controller web Interface 51.12.02779 Broadcom RAID Controller web interface is vulnerable due to usage of Libcurl with LSA has known vulnerabilities | 9.8 |
2023-08-15 | CVE-2023-4329 | Broadcom | Unspecified vulnerability in Broadcom Raid Controller web Interface 51.12.02779 Broadcom RAID Controller web interface is vulnerable due to insecure default of HTTP configuration that does not safeguard SESSIONID cookie with SameSite attribute | 9.8 |
2023-08-15 | CVE-2023-4336 | Broadcom | Unspecified vulnerability in Broadcom Raid Controller web Interface 51.12.02779 Broadcom RAID Controller web interface is vulnerable due to insecure default of HTTP configuration that does not safeguard cookies with Secure attribute | 9.8 |
2023-08-15 | CVE-2023-4337 | Broadcom | Unspecified vulnerability in Broadcom Raid Controller web Interface 51.12.02779 Broadcom RAID Controller web interface is vulnerable to improper session handling of managed servers on Gateway installation | 9.8 |
2023-08-15 | CVE-2023-4338 | Broadcom | Unspecified vulnerability in Broadcom Raid Controller web Interface 51.12.02779 Broadcom RAID Controller web interface is vulnerable due to insecure default of HTTP configuration that does not provide X-Content-Type-Options Headers | 9.8 |
2023-08-15 | CVE-2023-4340 | Broadcom | Unspecified vulnerability in Broadcom Raid Controller web Interface 51.12.02779 Broadcom RAID Controller is vulnerable to Privilege escalation by taking advantage of the Session prints in the log file | 9.8 |
2023-08-15 | CVE-2023-4341 | Broadcom | Unspecified vulnerability in Broadcom Raid Controller web Interface 51.12.02779 Broadcom RAID Controller is vulnerable to Privilege escalation to root due to creation of insecure folders by Web GUI | 9.8 |
2023-08-15 | CVE-2023-4342 | Broadcom | Unspecified vulnerability in Broadcom Raid Controller web Interface 51.12.02779 Broadcom RAID Controller web interface is vulnerable due to insecure defaults of lacking HTTP strict-transport-security policy | 9.8 |
2023-08-15 | CVE-2023-4344 | Broadcom | Use of Insufficiently Random Values vulnerability in Broadcom Raid Controller web Interface 51.12.02779 Broadcom RAID Controller web interface is vulnerable to insufficient randomness due to improper use of ssl.rnd to setup CIM connection | 9.8 |
2023-08-15 | CVE-2023-38860 | Langchain | Code Injection vulnerability in Langchain 0.0.231 An issue in LangChain v.0.0.231 allows a remote attacker to execute arbitrary code via the prompt parameter. | 9.8 |
2023-08-15 | CVE-2023-38889 | Alluxio | Code Injection vulnerability in Alluxio An issue in Alluxio v.2.9.3 and before allows an attacker to execute arbitrary code via a crafted script to the username parameter of lluxio.util.CommonUtils.getUnixGroups(java.lang.String). | 9.8 |
2023-08-15 | CVE-2023-38896 | Langchain | Injection vulnerability in Langchain An issue in Harrison Chase langchain v.0.0.194 and before allows a remote attacker to execute arbitrary code via the from_math_prompt and from_colored_object_prompt functions. | 9.8 |
2023-08-15 | CVE-2023-38915 | Wolf18 | Unrestricted Upload of File with Dangerous Type vulnerability in Wolf18 Easyadmin8 1.0 File Upload vulnerability in Wolf-leo EasyAdmin8 v.1.0 allows a remote attacker to execute arbtirary code via the upload type function. | 9.8 |
2023-08-15 | CVE-2023-39659 | Langchain | Injection vulnerability in Langchain An issue in langchain langchain-ai v.0.0.232 and before allows a remote attacker to execute arbitrary code via a crafted script to the PythonAstREPLTool._run component. | 9.8 |
2023-08-15 | CVE-2023-39661 | Gabrieleventuri | Injection vulnerability in Gabrieleventuri Pandasai An issue in pandas-ai v.0.9.1 and before allows a remote attacker to execute arbitrary code via the _is_jailbreak function. | 9.8 |
2023-08-15 | CVE-2023-39662 | Llamaindex Project | Injection vulnerability in Llamaindex Project Llamaindex An issue in llama_index v.0.7.13 and before allows a remote attacker to execute arbitrary code via the `exec` parameter in PandasQueryEngine function. | 9.8 |
2023-08-15 | CVE-2023-35082 | Ivanti | Improper Authentication vulnerability in Ivanti Endpoint Manager Mobile An authentication bypass vulnerability in Ivanti EPMM 11.10 and older, allows unauthorized users to access restricted functionality or resources of the application without proper authentication. | 9.8 |
2023-08-14 | CVE-2023-21287 | Type Confusion vulnerability in Google Android In multiple locations, there is a possible code execution due to type confusion. | 9.8 | |
2023-08-14 | CVE-2023-20965 | Insufficiently Protected Credentials vulnerability in Google Android 13.0 In processMessageImpl of ClientModeImpl.java, there is a possible credential disclosure in the TOFU flow due to a logic error in the code. | 9.8 | |
2023-08-14 | CVE-2023-21242 | Unspecified vulnerability in Google Android 13.0 In isServerCertChainValid of InsecureEapNetworkHandler.java, there is a possible way to trust an imposter server due to a logic error in the code. | 9.8 | |
2023-08-14 | CVE-2023-3435 | Solwininfotech | Unspecified vulnerability in Solwininfotech User Activity LOG The User Activity Log WordPress plugin before 1.6.5 does not correctly sanitise and escape several parameters before using it in a SQL statement as part of its exportation feature, allowing unauthenticated attackers to conduct SQL injection attacks. | 9.8 |
2023-08-14 | CVE-2023-29468 | TI | Classic Buffer Overflow vulnerability in TI Wilink8-Wifi-Mcp8 8.5 The Texas Instruments (TI) WiLink WL18xx MCP driver does not limit the number of information elements (IEs) of type XCC_EXT_1_IE_ID or XCC_EXT_2_IE_ID that can be parsed in a management frame. | 9.8 |
2023-08-14 | CVE-2023-39292 | Mitel | SQL Injection vulnerability in Mitel products A SQL Injection vulnerability has been identified in the MiVoice Office 400 SMB Controller through 1.2.5.23 which could allow a malicious actor to access sensitive information and execute arbitrary database and management operations. | 9.8 |
2023-08-14 | CVE-2023-39293 | Mitel | Command Injection vulnerability in Mitel products A Command Injection vulnerability has been identified in the MiVoice Office 400 SMB Controller through 1.2.5.23 which could allow a malicious actor to execute arbitrary commands within the context of the system. | 9.8 |
2023-08-14 | CVE-2023-32748 | Mitel | Incorrect Authorization vulnerability in Mitel Mivoice Connect The Linux DVS server component of Mitel MiVoice Connect through 19.3 SP2 (22.24.1500.0) could allow an unauthenticated attacker with internal network access to execute arbitrary scripts due to improper access control. | 9.8 |
2023-08-14 | CVE-2023-40359 | Invisible Island | Unspecified vulnerability in Invisible-Island Xterm xterm before 380 supports ReGIS reporting for character-set names even if they have unexpected characters (i.e., neither alphanumeric nor underscore), aka a pointer/overflow issue. | 9.8 |
2023-08-14 | CVE-2023-4322 | Radare Fedoraproject | Out-of-bounds Write vulnerability in multiple products Heap-based Buffer Overflow in GitHub repository radareorg/radare2 prior to 5.9.0. | 9.8 |
2023-08-14 | CVE-2023-30186 | Onlyoffice | Use After Free vulnerability in Onlyoffice Document Server A use after free issue discovered in ONLYOFFICE DocumentServer 4.0.3 through 7.3.2 allows remote attackers to run arbitrary code via crafted JavaScript file. | 9.8 |
2023-08-14 | CVE-2023-30187 | Onlyoffice | Out-of-bounds Write vulnerability in Onlyoffice Document Server An out of bounds memory access vulnerability in ONLYOFFICE DocumentServer 4.0.3 through 7.3.2 allows remote attackers to run arbitrary code via crafted JavaScript file. | 9.8 |
2023-08-14 | CVE-2023-37847 | Novel Plus | SQL Injection vulnerability in Novel-Plus 3.6.2 novel-plus v3.6.2 was discovered to contain a SQL injection vulnerability. | 9.8 |
2023-08-14 | CVE-2023-3264 | Cyberpower Dataprobe | Use of Hard-coded Credentials vulnerability in multiple products The Dataprobe iBoot PDU running firmware version 1.43.03312023 or earlier uses hard-coded credentials for all interactions with the internal Postgres database. A malicious agent with the ability to execute operating system commands on the device can leverage this vulnerability to read, modify, or delete arbitrary database records. | 9.8 |
2023-08-14 | CVE-2023-3265 | Cyberpower | Unspecified vulnerability in Cyberpower Powerpanel Server An authentication bypass exists on CyberPower PowerPanel Enterprise by failing to sanitize meta-characters from the username, allowing an attacker to login into the application with the default user "cyberpower" by appending a non-printable character.An unauthenticated attacker can leverage this vulnerability to log in to the CypberPower PowerPanel Enterprise as an administrator with hardcoded default credentials. | 9.8 |
2023-08-14 | CVE-2023-3266 | Cyberpower | Unspecified vulnerability in Cyberpower Powerpanel Server A non-feature complete authentication mechanism exists in the production application allowing an attacker to bypass all authentication checks if LDAP authentication is selected.An unauthenticated attacker can leverage this vulnerability to log in to the CypberPower PowerPanel Enterprise as an administrator by selecting LDAP authentication from a hidden HTML combo box. | 9.8 |
2023-08-14 | CVE-2023-3259 | Dataprobe | Deserialization of Untrusted Data vulnerability in Dataprobe products The Dataprobe iBoot PDU running firmware version 1.43.03312023 or earlier is vulnerable to authentication bypass. | 9.8 |
2023-08-19 | CVE-2023-2317 | Typora | Cross-site Scripting vulnerability in Typora DOM-based XSS in updater/update.html in Typora before 1.6.7 on Windows and Linux allows a crafted markdown file to run arbitrary JavaScript code in the context of Typora main window via loading typora://app/typemark/updater/update.html in <embed> tag. | 9.6 |
2023-08-19 | CVE-2023-2318 | Marktext | Cross-site Scripting vulnerability in Marktext DOM-based XSS in src/muya/lib/contentState/pasteCtrl.js in MarkText 0.17.1 and before on Windows, Linux and macOS allows arbitrary JavaScript code to run in the context of MarkText main window. | 9.6 |
2023-08-17 | CVE-2023-2915 | Rockwellautomation | Path Traversal vulnerability in Rockwellautomation Thinmanager Thinserver 13.1.0 The Rockwell Automation Thinmanager Thinserver is impacted by an improper input validation vulnerability, Due to improper input validation, a path traversal vulnerability exists when the ThinManager software processes a certain function. | 9.1 |
2023-08-16 | CVE-2023-20013 | Cisco | Command Injection vulnerability in Cisco Intersight Private Virtual Appliance 1.0.9 Multiple vulnerabilities in Cisco Intersight Private Virtual Appliance could allow an authenticated, remote attacker to execute arbitrary commands using root-level privileges. | 9.1 |
2023-08-16 | CVE-2023-20017 | Cisco | Command Injection vulnerability in Cisco Intersight Private Virtual Appliance 1.0.9 Multiple vulnerabilities in Cisco Intersight Private Virtual Appliance could allow an authenticated, remote attacker to execute arbitrary commands using root-level privileges. | 9.1 |
147 High Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2023-08-18 | CVE-2023-40172 | Fobybus | Cross-Site Request Forgery (CSRF) vulnerability in Fobybus Social-Media-Skeleton Social media skeleton is an uncompleted/framework social media project implemented using a php, css ,javascript and html. | 8.8 |
2023-08-18 | CVE-2023-38890 | Phpgurukul | SQL Injection vulnerability in PHPgurukul Online Shopping Portal 3.1 Online Shopping Portal Project 3.1 allows remote attackers to execute arbitrary SQL commands/queries via the login form, leading to unauthorized access and potential data manipulation. | 8.8 |
2023-08-18 | CVE-2023-4415 | Ruijienetworks | Improper Authentication vulnerability in Ruijienetworks Rg-Ew1200G Firmware 07161417R483 A vulnerability was found in Ruijie RG-EW1200G 07161417 r483. | 8.8 |
2023-08-18 | CVE-2023-4409 | Happysoft | Unrestricted Upload of File with Dangerous Type vulnerability in Happysoft Nbs&Happysoftwechat 1.1.6 A vulnerability, which was classified as critical, has been found in NBS&HappySoftWeChat 1.1.6. | 8.8 |
2023-08-18 | CVE-2023-38132 | Elecom | Unspecified vulnerability in Elecom Lan-W451Ngr Firmware LAN-W451NGR all versions provided by LOGITEC CORPORATION contains an improper access control vulnerability, which allows an unauthenticated attacker to log in to telnet service. | 8.8 |
2023-08-18 | CVE-2023-39445 | Elecom | Unspecified vulnerability in Elecom products Hidden functionality vulnerability in LAN-WH300N/RE all versions provided by LOGITEC CORPORATION allows an unauthenticated attacker to execute arbitrary code by sending a specially crafted file to the product's certain management console. | 8.8 |
2023-08-18 | CVE-2023-39455 | Elecom | OS Command Injection vulnerability in Elecom products OS command injection vulnerability in ELECOM wireless LAN routers allows an authenticated user to execute an arbitrary OS command by sending a specially crafted request. | 8.8 |
2023-08-18 | CVE-2023-39944 | Elecom | OS Command Injection vulnerability in Elecom Wrc-1750Ghbk Firmware and Wrc-F1167Acf Firmware OS command injection vulnerability in WRC-F1167ACF all versions, and WRC-1750GHBK all versions allows an attacker who can access the product to execute an arbitrary OS command by sending a specially crafted request. | 8.8 |
2023-08-18 | CVE-2023-40072 | Elecom | OS Command Injection vulnerability in Elecom Wab-S300 Firmware and Wab-S600-Ps Firmware OS command injection vulnerability in ELECOM wireless LAN access point devices allows an authenticated user to execute an arbitrary OS command by sending a specially crafted request. | 8.8 |
2023-08-17 | CVE-2023-40313 | Opennms | Unspecified vulnerability in Opennms Horizon A BeanShell interpreter in remote server mode runs in OpenMNS Horizon versions earlier than 32.0.2 and in related Meridian versions which could allow arbitrary remote Java code execution. | 8.8 |
2023-08-17 | CVE-2023-37914 | Xwiki | Code Injection vulnerability in Xwiki XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. | 8.8 |
2023-08-17 | CVE-2023-38902 | Ruijie | Command Injection vulnerability in Ruijie products A command injection vulnerability in RG-EW series home routers and repeaters v.EW_3.0(1)B11P219, RG-NBS and RG-S1930 series switches v.SWITCH_3.0(1)B11P219, RG-EG series business VPN routers v.EG_3.0(1)B11P219, EAP and RAP series wireless access points v.AP_3.0(1)B11P219, and NBC series wireless controllers v.AC_3.0(1)B11P219 allows an authorized attacker to execute arbitrary commands on remote devices by sending a POST request to /cgi-bin/luci/api/cmd via the remoteIp field. | 8.8 |
2023-08-17 | CVE-2023-2910 | Asustor | Command Injection vulnerability in Asustor Data Master Improper neutralization of special elements used in a command ('Command Injection') vulnerability in Printer service functionality in ASUSTOR Data Master (ADM) allows remote unauthorized users to execute arbitrary commands via unspecified vectors. | 8.8 |
2023-08-17 | CVE-2023-3697 | Asustor | Path Traversal vulnerability in Asustor Data Master Printer service fails to adequately handle user input, allowing an remote unauthorized users to navigate beyond the intended directory structure and create files. | 8.8 |
2023-08-17 | CVE-2023-33237 | Moxa | Improper Authentication vulnerability in Moxa Tn-5900 Firmware 3.1/3.2/3.3 TN-5900 Series firmware version v3.3 and prior is vulnerable to improper-authentication vulnerability. | 8.8 |
2023-08-16 | CVE-2023-20211 | Cisco | SQL Injection vulnerability in Cisco Unified Communications Manager A vulnerability in the web-based management interface of Cisco Unified Communications Manager (Unified CM) and Cisco Unified Communications Manager Session Management Edition (Unified CM SME) could allow an authenticated, remote attacker to conduct SQL injection attacks on an affected system. | 8.8 |
2023-08-16 | CVE-2023-35893 | IBM | OS Command Injection vulnerability in IBM Security Guardium IBM Security Guardium 10.6, 11.3, 11.4, and 11.5 could allow a remote authenticated attacker to execute arbitrary commands on the system by sending a specially crafted request. | 8.8 |
2023-08-16 | CVE-2023-39975 | MIT | Double Free vulnerability in MIT Kerberos 5 1.21/1.21.1 kdc/do_tgs_req.c in MIT Kerberos 5 (aka krb5) 1.21 before 1.21.2 has a double free that is reachable if an authenticated user can trigger an authorization-data handling failure. | 8.8 |
2023-08-16 | CVE-2023-40336 | Jenkins | Cross-Site Request Forgery (CSRF) vulnerability in Jenkins Folders A cross-site request forgery (CSRF) vulnerability in Jenkins Folders Plugin 6.846.v23698686f0f6 and earlier allows attackers to copy folders. | 8.8 |
2023-08-16 | CVE-2023-40341 | Jenkins | Cross-Site Request Forgery (CSRF) vulnerability in Jenkins Blue Ocean A cross-site request forgery (CSRF) vulnerability in Jenkins Blue Ocean Plugin 1.27.5 and earlier allows attackers to connect to an attacker-specified URL, capturing GitHub credentials associated with an attacker-specified job. | 8.8 |
2023-08-16 | CVE-2023-0579 | Yarpp | Unspecified vulnerability in Yarpp The YARPP WordPress plugin before 5.30.3 does not validate and escape some of its shortcode attributes before using them in SQL statement/s, which could allow any authenticated users, such as subscribers to perform SQL Injection attacks. | 8.8 |
2023-08-16 | CVE-2023-1977 | Oplugins | Unspecified vulnerability in Oplugins Booking Manager The Booking Manager WordPress plugin before 2.0.29 does not validate URLs input in it's admin panel or in shortcodes for showing events from a remote .ics file, allowing an attacker with privileges as low as Subscriber to perform SSRF attacks on the sites internal network. | 8.8 |
2023-08-15 | CVE-2023-2312 | Use After Free vulnerability in Google Chrome Use after free in Offline in Google Chrome on Android prior to 116.0.5845.96 allowed a remote attacker who had compromised the renderer process to potentially exploit heap corruption via a crafted HTML page. | 8.8 | |
2023-08-15 | CVE-2023-4349 | Google Debian Fedoraproject | Use After Free vulnerability in multiple products Use after free in Device Trust Connectors in Google Chrome prior to 116.0.5845.96 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | 8.8 |
2023-08-15 | CVE-2023-4351 | Google Debian Fedoraproject | Use After Free vulnerability in multiple products Use after free in Network in Google Chrome prior to 116.0.5845.96 allowed a remote attacker who has elicited a browser shutdown to potentially exploit heap corruption via a crafted HTML page. | 8.8 |
2023-08-15 | CVE-2023-4352 | Google Debian Fedoraproject | Type Confusion vulnerability in multiple products Type confusion in V8 in Google Chrome prior to 116.0.5845.96 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | 8.8 |
2023-08-15 | CVE-2023-4353 | Google Debian Fedoraproject | Out-of-bounds Write vulnerability in multiple products Heap buffer overflow in ANGLE in Google Chrome prior to 116.0.5845.96 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | 8.8 |
2023-08-15 | CVE-2023-4354 | Google Debian Fedoraproject | Out-of-bounds Write vulnerability in multiple products Heap buffer overflow in Skia in Google Chrome prior to 116.0.5845.96 allowed a remote attacker who had compromised the renderer process to potentially exploit heap corruption via a crafted HTML page. | 8.8 |
2023-08-15 | CVE-2023-4355 | Google Debian Fedoraproject | Out-of-bounds Write vulnerability in multiple products Out of bounds memory access in V8 in Google Chrome prior to 116.0.5845.96 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | 8.8 |
2023-08-15 | CVE-2023-4356 | Google Debian Fedoraproject | Use After Free vulnerability in multiple products Use after free in Audio in Google Chrome prior to 116.0.5845.96 allowed a remote attacker who has convinced a user to engage in specific UI interaction to potentially exploit heap corruption via a crafted HTML page. | 8.8 |
2023-08-15 | CVE-2023-4357 | Google Debian Fedoraproject | Insufficient validation of untrusted input in XML in Google Chrome prior to 116.0.5845.96 allowed a remote attacker to bypass file access restrictions via a crafted HTML page. | 8.8 |
2023-08-15 | CVE-2023-4358 | Google Debian Fedoraproject | Use After Free vulnerability in multiple products Use after free in DNS in Google Chrome prior to 116.0.5845.96 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | 8.8 |
2023-08-15 | CVE-2023-4362 | Google Debian | Out-of-bounds Write vulnerability in multiple products Heap buffer overflow in Mojom IDL in Google Chrome prior to 116.0.5845.96 allowed a remote attacker who had compromised the renderer process and gained control of a WebUI process to potentially exploit heap corruption via a crafted HTML page. | 8.8 |
2023-08-15 | CVE-2023-4366 | Google Debian Fedoraproject | Use After Free vulnerability in multiple products Use after free in Extensions in Google Chrome prior to 116.0.5845.96 allowed an attacker who convinced a user to install a malicious extension to potentially exploit heap corruption via a crafted HTML page. | 8.8 |
2023-08-15 | CVE-2023-4368 | Google Debian | Insufficient policy enforcement in Extensions API in Google Chrome prior to 116.0.5845.96 allowed an attacker who convinced a user to install a malicious extension to bypass an enterprise policy via a crafted HTML page. | 8.8 |
2023-08-15 | CVE-2023-4369 | Unspecified vulnerability in Google Chrome Insufficient data validation in Systems Extensions in Google Chrome on ChromeOS prior to 116.0.5845.120 allowed an attacker who convinced a user to install a malicious extension to bypass file restrictions via a crafted HTML page. | 8.8 | |
2023-08-15 | CVE-2023-38916 | Mohammad Ajazuddin | SQL Injection vulnerability in Mohammad-Ajazuddin Evotingsystem-PHP 1.0 SQL Injection vulnerability in eVotingSystem-PHP v.1.0 allows a remote attacker to execute arbitrary code and obtain sensitive information via the user input fields. | 8.8 |
2023-08-15 | CVE-2023-32004 | Nodejs Fedoraproject | Path Traversal vulnerability in multiple products A vulnerability has been discovered in Node.js version 20, specifically within the experimental permission model. | 8.8 |
2023-08-15 | CVE-2023-32006 | Nodejs Fedoraproject | The use of `module.constructor.createRequire()` can bypass the policy mechanism and require modules outside of the policy.json definition for a given module. This vulnerability affects all users using the experimental policy mechanism in all active release lines: 16.x, 18.x, and, 20.x. Please note that at the time this CVE was issued, the policy is an experimental feature of Node.js. | 8.8 |
2023-08-15 | CVE-2023-28479 | Tigergraph | Unspecified vulnerability in Tigergraph 3.7.0 An issue was discovered in Tigergraph Enterprise 3.7.0. | 8.8 |
2023-08-14 | CVE-2022-42828 | Apple | Unspecified vulnerability in Apple Macos The issue was addressed with improved memory handling. | 8.8 |
2023-08-14 | CVE-2022-48503 | Apple | Unspecified vulnerability in Apple products The issue was addressed with improved bounds checks. | 8.8 |
2023-08-14 | CVE-2023-28198 | Apple Wpewebkit Webkitgtk | Use After Free vulnerability in multiple products A use-after-free issue was addressed with improved memory management. | 8.8 |
2023-08-14 | CVE-2023-32358 | Apple | Type Confusion vulnerability in Apple Ipados, Iphone OS and Macos A type confusion issue was addressed with improved checks. | 8.8 |
2023-08-14 | CVE-2023-21273 | Out-of-bounds Write vulnerability in Google Android In SDP_AddAttribute of sdp_db.cc, there is a possible out of bounds write due to an incorrect bounds check. | 8.8 | |
2023-08-14 | CVE-2023-21282 | Out-of-bounds Write vulnerability in Google Android In TRANSPOSER_SETTINGS of lpp_tran.h, there is a possible out of bounds write due to an incorrect bounds check. | 8.8 | |
2023-08-14 | CVE-2023-28481 | Tigergraph | Authorization Bypass Through User-Controlled Key vulnerability in Tigergraph 3.7.0 An issue was discovered in Tigergraph Enterprise 3.7.0. | 8.8 |
2023-08-14 | CVE-2023-28483 | Tigergraph | Unspecified vulnerability in Tigergraph 3.7.0 An issue was discovered in Tigergraph Enterprise 3.7.0. | 8.8 |
2023-08-14 | CVE-2023-33013 | Zyxel | OS Command Injection vulnerability in Zyxel Nbg6604 Firmware 1.01(Abir.1)C0 A post-authentication command injection vulnerability in the NTP feature of Zyxel NBG6604 firmware version V1.01(ABIR.1)C0 could allow an authenticated attacker to execute some OS commands remotely by sending a crafted HTTP request. | 8.8 |
2023-08-14 | CVE-2023-3267 | Cyberpower | OS Command Injection vulnerability in Cyberpower Powerpanel Server When adding a remote backup location, an authenticated user can pass arbitrary OS commands through the username field. | 8.8 |
2023-08-14 | CVE-2023-3260 | Cyberpower Dataprobe | OS Command Injection vulnerability in multiple products The Dataprobe iBoot PDU running firmware version 1.43.03312023 or earlier is vulnerable to command injection via the `user-name` URL parameter. | 8.8 |
2023-08-14 | CVE-2023-40295 | 0Branch | Out-of-bounds Write vulnerability in 0Branch Boron 2.0.8 libboron in Boron 2.0.8 has a heap-based buffer overflow in ur_strInitUtf8 at string.c. | 8.8 |
2023-08-14 | CVE-2023-40020 | Troplo | Improper Authentication vulnerability in Troplo Privateuploader PrivateUploader is an open source image hosting server written in Vue and TypeScript. | 8.3 |
2023-08-17 | CVE-2023-3698 | Asustor | Path Traversal vulnerability in Asustor Data Master Printer service fails to adequately handle user input, allowing an remote unauthorized users to navigate beyond the intended directory structure and delete files. | 8.1 |
2023-08-17 | CVE-2023-34216 | Moxa | Path Traversal vulnerability in Moxa Tn-4900 Firmware and Tn-5900 Firmware TN-4900 Series firmware versions v1.2.4 and prior and TN-5900 Series firmware versions v3.3 and prior are vulnerable to the command-injection vulnerability. | 8.1 |
2023-08-17 | CVE-2023-34217 | Moxa | Path Traversal vulnerability in Moxa Tn-4900 Firmware and Tn-5900 Firmware TN-4900 Series firmware versions v1.2.4 and prior and TN-5900 Series firmware versions v3.3 and prior are vulnerable to the command-injection vulnerability. | 8.1 |
2023-08-16 | CVE-2023-40034 | Woodpecker CI | Unspecified vulnerability in Woodpecker-Ci Woodpecker 1.0.0/1.0.1 Woodpecker is a community fork of the Drone CI system. | 8.1 |
2023-08-15 | CVE-2023-39438 | SAP | Missing Authorization vulnerability in SAP Contributor License Agreement Assistant A missing authorization check allows an arbitrary authenticated user to perform certain operations through the API of CLA-assistant by executing specific additional steps. | 8.1 |
2023-08-18 | CVE-2023-38576 | Elecom | Unspecified vulnerability in Elecom Lan-Wh300N/Re Firmware Hidden functionality vulnerability in LAN-WH300N/RE all versions provided by LOGITEC CORPORATION allows an authenticated user to execute arbitrary OS commands on a certain management console. | 8.0 |
2023-08-17 | CVE-2023-40315 | Opennms | Unspecified vulnerability in Opennms Horizon and Meridian In OpenMNS Horizon 31.0.8 and versions earlier than 32.0.2 and related Meridian versions, any user that has the ROLE_FILESYSTEM_EDITOR can easily escalate their privileges to ROLE_ADMIN or any other role. The solution is to upgrade to Meridian 2023.1.5 or Horizon 32.0.2 or newer. | 8.0 |
2023-08-17 | CVE-2023-38843 | Atlos | Improper Neutralization of Formula Elements in a CSV File vulnerability in Atlos 1.0 An issue in Atlos v.1.0 allows an authenticated attacker to execute arbitrary code via a crafted payload into the description field in the incident function. | 8.0 |
2023-08-14 | CVE-2023-0872 | Opennms | Unspecified vulnerability in Opennms Horizon and Meridian The Horizon REST API includes a users endpoint in OpenMNS Horizon 31.0.8 and versions earlier than 32.0.2 on multiple platforms is vulnerable to elevation of privilege. The solution is to upgrade to Meridian 2023.1.6, 2022.1.19, 2021.1.30, 2020.1.38 or Horizon 32.0.2 or newer. | 8.0 |
2023-08-17 | CVE-2023-3078 | Lenovo | Uncontrolled Search Path Element vulnerability in Lenovo Universal Device Client An uncontrolled search path vulnerability was reported in the Lenovo Universal Device Client (UDC) that could allow an attacker with local access to execute code with elevated privileges. | 7.8 |
2023-08-17 | CVE-2023-4030 | Lenovo | Failing Open vulnerability in Lenovo products A vulnerability was reported in BIOS for ThinkPad P14s Gen 2, P15s Gen 2, T14 Gen 2, and T15 Gen 2 that could cause the system to recover to insecure settings if the BIOS becomes corrupt. | 7.8 |
2023-08-16 | CVE-2023-20224 | Cisco | Argument Injection or Modification vulnerability in Cisco Thousandeyes Enterprise Agent A vulnerability in the CLI of Cisco ThousandEyes Enterprise Agent, Virtual Appliance installation type, could allow an authenticated, local attacker to elevate privileges to root on an affected device. This vulnerability is due to insufficient input validation of user-supplied CLI arguments. | 7.8 |
2023-08-16 | CVE-2023-4383 | Escanav | Incorrect Permission Assignment for Critical Resource vulnerability in Escanav Escan Anti-Virus 7.0.32 A vulnerability, which was classified as critical, was found in MicroWorld eScan Anti-Virus 7.0.32 on Linux. | 7.8 |
2023-08-16 | CVE-2023-32486 | Dell | Unspecified vulnerability in Dell Powerscale Onefs Dell PowerScale OneFS 9.5.x version contain a privilege escalation vulnerability. | 7.8 |
2023-08-16 | CVE-2023-32487 | Dell | Unspecified vulnerability in Dell Powerscale Onefs Dell PowerScale OneFS, 8.2.x - 9.5.0.x, contains an elevation of privilege vulnerability. | 7.8 |
2023-08-16 | CVE-2023-32495 | Dell | Unspecified vulnerability in Dell Powerscale Onefs Dell PowerScale OneFS, 8.2.x-9.5.x, contains a exposure of sensitive information to an unauthorized Actor vulnerability. | 7.8 |
2023-08-15 | CVE-2023-38401 | HP | Unspecified vulnerability in HP Aruba Virtual Intranet Access A vulnerability in the HPE Aruba Networking Virtual Intranet Access (VIA) client could allow local users to elevate privileges. | 7.8 |
2023-08-14 | CVE-2020-36615 | Apple | Out-of-bounds Read vulnerability in Apple Macos An out-of-bounds read was addressed with improved bounds checking. | 7.8 |
2023-08-14 | CVE-2022-46706 | Apple | Type Confusion vulnerability in Apple mac OS X and Macos A type confusion issue was addressed with improved state handling. | 7.8 |
2023-08-14 | CVE-2023-21229 | Unspecified vulnerability in Google Android 11.0/13.0 In registerServiceLocked of ManagedServices.java, there is a possible bypass of background activity launch restrictions due to an unsafe PendingIntent. | 7.8 | |
2023-08-14 | CVE-2023-21231 | Unspecified vulnerability in Google Android 13.0 In getIntentForButton of ButtonManager.java, there is a possible way for an unprivileged application to start a non-exported or permission-protected activity due to a missing permission check. | 7.8 | |
2023-08-14 | CVE-2023-21235 | Unspecified vulnerability in Google Android 11.0/13.0 In onCreate of LockSettingsActivity.java, there is a possible way set a new lockscreen PIN without entering the existing PIN due to a permissions bypass. | 7.8 | |
2023-08-14 | CVE-2023-21272 | Improper Input Validation vulnerability in Google Android 11.0/12.0/12.1 In readFrom of Uri.java, there is a possible bad URI permission grant due to improper input validation. | 7.8 | |
2023-08-14 | CVE-2023-21275 | Unspecified vulnerability in Google Android 12.0/12.1/13.0 In decideCancelProvisioningDialog of AdminIntegratedFlowPrepareActivity.java, there is a possible way to bypass factory reset protections due to a logic error in the code. | 7.8 | |
2023-08-14 | CVE-2023-21281 | Unspecified vulnerability in Google Android In multiple functions of KeyguardViewMediator.java, there is a possible failure to lock after screen timeout due to a logic error in the code. | 7.8 | |
2023-08-14 | CVE-2023-21286 | Unspecified vulnerability in Google Android In visitUris of RemoteViews.java, there is a possible way to reveal images across users due to a missing permission check. | 7.8 | |
2023-08-14 | CVE-2023-35689 | Insecure Default Initialization of Resource vulnerability in Google Android 11.0/13.0 In checkDebuggingDisallowed of DeviceVersionFragment.java, there is a possible way to access adb before SUW completion due to an insecure default value. | 7.8 | |
2023-08-14 | CVE-2023-21269 | Improper Privilege Management vulnerability in Google Android 13.0 In startActivityInner of ActivityStarter.java, there is a possible way to launch an activity into PiP mode from the background due to BAL bypass. | 7.8 | |
2023-08-14 | CVE-2023-38721 | IBM | Unspecified vulnerability in IBM I The IBM i 7.2, 7.3, 7.4, and 7.5 product Facsimile Support for i contains a local privilege escalation vulnerability. | 7.8 |
2023-08-14 | CVE-2023-3160 | Eset | Improper Privilege Management vulnerability in Eset products The vulnerability potentially allows an attacker to misuse ESET’s file operations during the module update to delete or move files without having proper permissions. | 7.8 |
2023-08-14 | CVE-2023-40303 | GNU | Unchecked Return Value vulnerability in GNU Inetutils GNU inetutils before 2.5 may allow privilege escalation because of unchecked return values of set*id() family functions in ftpd, rcp, rlogin, rsh, rshd, and uucpd. | 7.8 |
2023-08-14 | CVE-2023-40283 | Linux Debian Canonical | Use After Free vulnerability in multiple products An issue was discovered in l2cap_sock_release in net/bluetooth/l2cap_sock.c in the Linux kernel before 6.4.10. | 7.8 |
2023-08-20 | CVE-2023-37369 | QT Debian | In Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.2, there can be an application crash in QXmlStreamReader via a crafted XML string that triggers a situation in which a prefix is greater than a length. | 7.5 |
2023-08-20 | CVE-2023-40711 | Veilid | Out-of-bounds Write vulnerability in Veilid Veilid before 0.1.9 does not check the size of uncompressed data during decompression upon an envelope receipt, which allows remote attackers to cause a denial of service (out-of-memory abort) via crafted packet data, as exploited in the wild in August 2023. | 7.5 |
2023-08-18 | CVE-2023-38839 | Kidus | SQL Injection vulnerability in Kidus Minimati 1.0.0 SQL injection vulnerability in Kidus Minimati v.1.0.0 allows a remote attacker to obtain sensitive information via theID parameter in the fulldelete.php component. | 7.5 |
2023-08-18 | CVE-2023-40173 | Fobybus | Insufficiently Protected Credentials vulnerability in Fobybus Social-Media-Skeleton Social media skeleton is an uncompleted/framework social media project implemented using a php, css ,javascript and html. | 7.5 |
2023-08-18 | CVE-2023-20212 | Cisco | Unspecified vulnerability in Cisco Secure Endpoint and Secure Endpoint Private Cloud A vulnerability in the AutoIt module of ClamAV could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. | 7.5 |
2023-08-18 | CVE-2023-39415 | Northgrid | Improper Authentication vulnerability in Northgrid Proself 1.07/1.62/5.61 Improper authentication vulnerability in Proself Enterprise/Standard Edition Ver5.61 and earlier, Proself Gateway Edition Ver1.62 and earlier, and Proself Mail Sanitize Edition Ver1.07 and earlier allow a remote unauthenticated attacker to log in to the product's Control Panel and perform an unintended operation. | 7.5 |
2023-08-18 | CVE-2023-39669 | Dlink | NULL Pointer Dereference vulnerability in Dlink Dir-880L A1 Firmware 107Wwb08 D-Link DIR-880 A1_FW107WWb08 was discovered to contain a NULL pointer dereference in the function FUN_00010824. | 7.5 |
2023-08-18 | CVE-2023-39125 | Ntsc CRT Project | Integer Overflow or Wraparound vulnerability in Ntsc-Crt Project Ntsc-Crt 2.2.1 NTSC-CRT 2.2.1 has an integer overflow and out-of-bounds write in loadBMP in bmp_rw.c because a file's width, height, and BPP are not validated. | 7.5 |
2023-08-17 | CVE-2023-40171 | Netflix | Information Exposure Through an Error Message vulnerability in Netflix Dispatch Dispatch is an open source security incident management tool. | 7.5 |
2023-08-17 | CVE-2023-36106 | Powerjob | Unspecified vulnerability in Powerjob An incorrect access control vulnerability in powerjob 4.3.2 and earlier allows remote attackers to obtain sensitive information via the interface for querying via appId parameter to /container/list. | 7.5 |
2023-08-17 | CVE-2023-40165 | Rubygems | Unspecified vulnerability in Rubygems Rubygems.Org rubygems.org is the Ruby community's primary gem (library) hosting service. | 7.5 |
2023-08-17 | CVE-2023-2914 | Rockwellautomation | Integer Overflow or Wraparound vulnerability in Rockwellautomation Thinmanager Thinserver 13.1.0 The Rockwell Automation Thinmanager Thinserver is impacted by an improper input validation vulnerability, an integer overflow condition exists in the affected products. | 7.5 |
2023-08-17 | CVE-2023-40272 | Apache | Unspecified vulnerability in Apache Apache-Airflow-Providers-Apache-Spark Apache Airflow Spark Provider, versions before 4.1.3, is affected by a vulnerability that allows an attacker to pass in malicious parameters when establishing a connection giving an opportunity to read files on the Airflow server. It is recommended to upgrade to a version that is not affected. | 7.5 |
2023-08-17 | CVE-2023-38838 | Kiduswb | SQL Injection vulnerability in Kiduswb Minimati 1.0.0 SQL injection vulnerability in Kidus Minimati v.1.0.0 allows a remote attacker to obtain sensitive information via the edit.php component. | 7.5 |
2023-08-16 | CVE-2023-20197 | Cisco Fedoraproject | Infinite Loop vulnerability in multiple products A vulnerability in the filesystem image parser for Hierarchical File System Plus (HFS+) of ClamAV could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. This vulnerability is due to an incorrect check for completion when a file is decompressed, which may result in a loop condition that could cause the affected software to stop responding. | 7.5 |
2023-08-16 | CVE-2023-38737 | IBM | Resource Exhaustion vulnerability in IBM Websphere Application Server IBM WebSphere Application Server Liberty 22.0.0.13 through 23.0.0.7 is vulnerable to a denial of service, caused by sending a specially-crafted request. | 7.5 |
2023-08-16 | CVE-2023-40339 | Jenkins | Unspecified vulnerability in Jenkins Config File Provider Jenkins Config File Provider Plugin 952.va_544a_6234b_46 and earlier does not mask (i.e., replace with asterisks) credentials specified in configuration files when they're written to the build log. | 7.5 |
2023-08-16 | CVE-2023-40340 | Jenkins | Unspecified vulnerability in Jenkins Nodejs Jenkins NodeJS Plugin 1.6.0 and earlier does not properly mask (i.e., replace with asterisks) credentials specified in the Npm config file in Pipeline build logs. | 7.5 |
2023-08-16 | CVE-2023-4241 | Cloudflare | Unspecified vulnerability in Cloudflare Lol-Html lol-html can cause panics on certain HTML inputs. | 7.5 |
2023-08-15 | CVE-2023-4326 | Broadcom | Use of a Broken or Risky Cryptographic Algorithm vulnerability in Broadcom Raid Controller web Interface 51.12.02779 Broadcom RAID Controller web interface is vulnerable has an insecure default TLS configuration that supports obsolete SHA1-based ciphersuites | 7.5 |
2023-08-15 | CVE-2023-4331 | Broadcom | Use of a Broken or Risky Cryptographic Algorithm vulnerability in Broadcom Raid Controller web Interface 51.12.02779 Broadcom RAID Controller web interface is vulnerable has an insecure default TLS configuration that support obsolete and vulnerable TLS protocols | 7.5 |
2023-08-15 | CVE-2023-4332 | Broadcom | Incorrect Permission Assignment for Critical Resource vulnerability in Broadcom Raid Controller web Interface 51.12.02779 Broadcom RAID Controller web interface is vulnerable due to Improper permissions on the log file | 7.5 |
2023-08-15 | CVE-2023-4334 | Broadcom | Missing Authentication for Critical Function vulnerability in Broadcom Raid Controller web Interface 51.12.02779 Broadcom RAID Controller Web server (nginx) is serving private files without any authentication | 7.5 |
2023-08-15 | CVE-2023-4335 | Broadcom | Missing Authentication for Critical Function vulnerability in Broadcom Raid Controller web Interface 51.12.02779 Broadcom RAID Controller Web server (nginx) is serving private server-side files without any authentication on Linux | 7.5 |
2023-08-15 | CVE-2023-4339 | Broadcom | Unspecified vulnerability in Broadcom Raid Controller web Interface 51.12.02779 Broadcom RAID Controller web interface is vulnerable to exposure of private keys used for CIM stored with insecure file permissions | 7.5 |
2023-08-15 | CVE-2023-4343 | Broadcom | Unspecified vulnerability in Broadcom Raid Controller web Interface 51.12.02779 Broadcom RAID Controller web interface is vulnerable due to exposure of sensitive password information in the URL as a URL search parameter | 7.5 |
2023-08-14 | CVE-2023-21233 | Use of Uninitialized Resource vulnerability in Google Android 11.0 In multiple locations of avrc, there is a possible leak of heap data due to uninitialized data. | 7.5 | |
2023-08-14 | CVE-2023-40518 | Litespeedtech | Unspecified vulnerability in Litespeedtech Openlitespeed LiteSpeed OpenLiteSpeed before 1.7.18 does not strictly validate HTTP request headers. | 7.5 |
2023-08-14 | CVE-2023-21265 | Improper Certificate Validation vulnerability in Google Android In multiple locations, there are root CA certificates which need to be disabled. | 7.5 | |
2023-08-14 | CVE-2023-39827 | Tenda | Out-of-bounds Write vulnerability in Tenda A18 Firmware 15.13.07.09 Tenda A18 V15.13.07.09 was discovered to contain a stack overflow via the rule_info parameter in the formAddMacfilterRule function. | 7.5 |
2023-08-14 | CVE-2023-39828 | Tenda | Out-of-bounds Write vulnerability in Tenda A18 Firmware 15.13.07.09 Tenda A18 V15.13.07.09 was discovered to contain a stack overflow via the security parameter in the formWifiBasicSet function. | 7.5 |
2023-08-14 | CVE-2023-39829 | Tenda | Out-of-bounds Write vulnerability in Tenda A18 Firmware 15.13.07.09 Tenda A18 V15.13.07.09 was discovered to contain a stack overflow via the wpapsk_crypto2_4g parameter in the fromSetWirelessRepeat function. | 7.5 |
2023-08-14 | CVE-2023-40023 | Yaklang | Unspecified vulnerability in Yaklang yaklang is a programming language designed for cybersecurity. | 7.5 |
2023-08-14 | CVE-2023-39908 | Yubico | Out-of-bounds Read vulnerability in Yubico Yubihsm 2 SDK The PKCS11 module of the YubiHSM 2 SDK through 2023.01 does not properly validate the length of specific read operations on object metadata. | 7.5 |
2023-08-14 | CVE-2023-38741 | IBM | Unspecified vulnerability in IBM Txseries for Multiplatform 8.1/8.2/9.1 IBM TXSeries for Multiplatforms 8.1, 8.2, and 9.1 is vulnerable to a denial of service, caused by improper enforcement of the timeout on individual read operations. | 7.5 |
2023-08-14 | CVE-2023-31041 | Insyde | Cleartext Storage of Sensitive Information vulnerability in Insyde Insydeh2O An issue was discovered in SysPasswordDxe in Insyde InsydeH2O with kernel 5.0 through 5.5. | 7.5 |
2023-08-14 | CVE-2023-30188 | Onlyoffice | Infinite Loop vulnerability in Onlyoffice Document Server Memory Exhaustion vulnerability in ONLYOFFICE Document Server 4.0.3 through 7.3.2 allows remote attackers to cause a denial of service via crafted JavaScript file. | 7.5 |
2023-08-14 | CVE-2023-3263 | Dataprobe | Improper Authentication vulnerability in Dataprobe products The Dataprobe iBoot PDU running firmware version 1.43.03312023 or earlier is vulnerable to authentication bypass in the REST API due to the mishandling of special characters when parsing credentials.Successful exploitation allows the malicious agent to obtain a valid authorization token and read information relating to the state of the relays and power distribution. | 7.5 |
2023-08-14 | CVE-2023-40296 | Eminfedar | Out-of-bounds Write vulnerability in Eminfedar Async-Sockets-Cpp async-sockets-cpp through 0.3.1 has a stack-based buffer overflow in ReceiveFrom and Receive in udpsocket.hpp when processing malformed UDP packets. | 7.5 |
2023-08-14 | CVE-2023-40274 | Getzola | Path Traversal vulnerability in Getzola Zola An issue was discovered in zola 0.13.0 through 0.17.2. | 7.5 |
2023-08-19 | CVE-2023-2316 | Typora | Path Traversal vulnerability in Typora Improper path handling in Typora before 1.6.7 on Windows and Linux allows a crafted webpage to access local files and exfiltrate them to remote web servers via "typora://app/<absolute-path>". | 7.4 |
2023-08-16 | CVE-2022-4894 | HP Samsung | Uncontrolled Search Path Element vulnerability in multiple products Certain HP and Samsung Printer software packages may potentially be vulnerable to elevation of privilege due to Uncontrolled Search Path Element. | 7.3 |
2023-08-18 | CVE-2023-39416 | Northgrid | OS Command Injection vulnerability in Northgrid Proself 1.07/1.62/5.61 Proself Enterprise/Standard Edition Ver5.61 and earlier, Proself Gateway Edition Ver1.62 and earlier, and Proself Mail Sanitize Edition Ver1.07 and earlier allow a remote authenticated attacker with an administrative privilege to execute arbitrary OS commands. | 7.2 |
2023-08-17 | CVE-2023-31938 | Online Travel Agency System Project | SQL Injection vulnerability in Online Travel Agency System Project Online Travel Agency System 1.0 SQL injection vulnerability found in Online Travel Agency System v.1.0 allows a remote attacker to execute arbitrary code via the emp_id parameter at employee_detail.php. | 7.2 |
2023-08-17 | CVE-2023-31939 | Online Travel Agency System Project | SQL Injection vulnerability in Online Travel Agency System Project Online Travel Agency System 1.0 SQL injection vulnerability found in Online Travel Agency System v.1.0 allows a remote attacker to execute arbitrary code via the costomer_id parameter at customer_edit.php. | 7.2 |
2023-08-17 | CVE-2023-31940 | Online Travel Agency System Project | SQL Injection vulnerability in Online Travel Agency System Project Online Travel Agency System 1.0 SQL injection vulnerability found in Online Travel Agency System v.1.0 allows a remote attacker to execute arbitrary code via the page_id parameter at article_edit.php. | 7.2 |
2023-08-17 | CVE-2023-31941 | Online Travel Agency System Project | Unrestricted Upload of File with Dangerous Type vulnerability in Online Travel Agency System Project Online Travel Agency System 1.0 File Upload vulnerability found in Online Travel Agency System v.1.0 allows a remote attacker to execute arbitrary code via a crafted PHP file to the employee_insert.php. | 7.2 |
2023-08-17 | CVE-2023-31943 | Online Travel Agency System Project | SQL Injection vulnerability in Online Travel Agency System Project Online Travel Agency System 1.0 SQL injection vulnerability found in Online Travel Agency System v.1.0 allows a remote attacker to execute arbitrary code via the ticket_id parameter at ticket_detail.php. | 7.2 |
2023-08-17 | CVE-2023-31944 | Online Travel Agency System Project | SQL Injection vulnerability in Online Travel Agency System Project Online Travel Agency System 1.0 SQL injection vulnerability found in Online Travel Agency System v.1.0 allows a remote attacker to execute arbitrary code via the emp_id parameter at employee_edit.php. | 7.2 |
2023-08-17 | CVE-2023-31945 | Online Travel Agency System Project | SQL Injection vulnerability in Online Travel Agency System Project Online Travel Agency System 1.0 SQL injection vulnerability found in Online Travel Agency System v.1.0 allows a remote attacker to execute arbitrary code via the id parameter at daily_expenditure_edit.php. | 7.2 |
2023-08-17 | CVE-2023-31946 | Online Travel Agency System Project | Unrestricted Upload of File with Dangerous Type vulnerability in Online Travel Agency System Project Online Travel Agency System 1.0 File Upload vulnerability found in Online Travel Agency System v.1.0 allows a remote attacker to execute arbitrary code via a crafted PHP file to the artical.php. | 7.2 |
2023-08-16 | CVE-2023-20209 | Cisco | Command Injection vulnerability in Cisco Telepresence Video Communication Server 14.0/14.0.5/14.0.7 A vulnerability in the web-based management interface of Cisco Expressway Series and Cisco TelePresence Video Communication Server (VCS) could allow an authenticated, remote attacker with read-write privileges on the application to perform a command injection attack that could result in remote code execution on an affected device. This vulnerability is due to insufficient validation of user-supplied input. | 7.2 |
2023-08-14 | CVE-2023-3261 | Cyberpower Dataprobe | OS Command Injection vulnerability in multiple products The Dataprobe iBoot PDU running firmware version 1.43.03312023 or earlier contains a buffer overflow vulnerability in the librta.so.0.0.0 library.Successful exploitation could cause denial of service or unexpected behavior with respect to all interactions relying on the targeted vulnerable binary, including the ability to log in via the web server. | 7.2 |
2023-08-19 | CVE-2023-2110 | Obsidian | Path Traversal vulnerability in Obsidian Improper path handling in Obsidian desktop before 1.2.8 on Windows, Linux and macOS allows a crafted webpage to access local files and exfiltrate them to remote web servers via "app://local/<absolute-path>". | 7.1 |
2023-08-16 | CVE-2023-20229 | Cisco | Path Traversal vulnerability in Cisco DUO Device Health Application A vulnerability in the CryptoService function of Cisco Duo Device Health Application for Windows could allow an authenticated, local attacker with low privileges to conduct directory traversal attacks and overwrite arbitrary files on an affected system. This vulnerability is due to insufficient input validation. | 7.1 |
2023-08-16 | CVE-2023-40033 | Flarum | Server-Side Request Forgery (SSRF) vulnerability in Flarum Flarum is an open source forum software. | 7.1 |
2023-08-16 | CVE-2023-4387 | Linux Redhat | Use After Free vulnerability in multiple products A use-after-free flaw was found in vmxnet3_rq_alloc_rx_buf in drivers/net/vmxnet3/vmxnet3_drv.c in VMware's vmxnet3 ethernet NIC driver in the Linux Kernel. | 7.1 |
2023-08-16 | CVE-2023-4389 | Linux | Double Free vulnerability in Linux Kernel A flaw was found in btrfs_get_root_ref in fs/btrfs/disk-io.c in the btrfs filesystem in the Linux Kernel due to a double decrement of the reference count. | 7.1 |
2023-08-16 | CVE-2023-32492 | Dell | Incorrect Default Permissions vulnerability in Dell Powerscale Onefs Dell PowerScale OneFS 9.5.0.x contains an incorrect default permissions vulnerability. | 7.1 |
2023-08-15 | CVE-2023-38402 | HP | Unspecified vulnerability in HP Aruba Virtual Intranet Access A vulnerability in the HPE Aruba Networking Virtual Intranet Access (VIA) client could allow malicious users to overwrite arbitrary files as NT AUTHORITY\SYSTEM. | 7.1 |
2023-08-14 | CVE-2023-28179 | Apple | Unspecified vulnerability in Apple Macos The issue was addressed with improved memory handling. | 7.1 |
2023-08-20 | CVE-2023-37250 | Unity | Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in Unity Parsec Unity Parsec has a TOCTOU race condition that permits local attackers to escalate privileges to SYSTEM if Parsec was installed in "Per User" mode. | 7.0 |
236 Medium Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2023-08-14 | CVE-2023-21132 | Missing Authorization vulnerability in Google Android 12.0/12.1/13.0 In onCreate of ManagePermissionsActivity.java, there is a possible way to bypass factory reset protections due to a missing permission check. | 6.8 | |
2023-08-14 | CVE-2023-21133 | Missing Authorization vulnerability in Google Android 12.0/12.1/13.0 In onCreate of ManagePermissionsActivity.java, there is a possible way to bypass factory reset protections due to a missing permission check. | 6.8 | |
2023-08-14 | CVE-2023-21134 | Missing Authorization vulnerability in Google Android 12.0/12.1/13.0 In onCreate of ManagePermissionsActivity.java, there is a possible way to bypass factory reset protections due to a missing permission check. | 6.8 | |
2023-08-14 | CVE-2023-21140 | Missing Authorization vulnerability in Google Android 12.0/12.1/13.0 In onCreate of ManagePermissionsActivity.java, there is a possible way to bypass factory reset protections due to a missing permission check. | 6.8 | |
2023-08-14 | CVE-2023-40291 | Samsung | Unspecified vulnerability in Samsung Harman Infotainment 20190525031613 Harman Infotainment 20190525031613 allows root access via SSH over a USB-to-Ethernet dongle with a password that is an internal project name. | 6.8 |
2023-08-14 | CVE-2023-40293 | Samsung | Command Injection vulnerability in Samsung Harman Infotainment 20190525031613 Harman Infotainment 20190525031613 and later allows command injection via unauthenticated RPC with a D-Bus connection object. | 6.8 |
2023-08-18 | CVE-2023-27576 | Phplist | Unspecified vulnerability in PHPlist 3.6.12 An issue was discovered in phpList before 3.6.14. | 6.7 |
2023-08-17 | CVE-2023-34419 | Lenovo | Classic Buffer Overflow vulnerability in Lenovo products A buffer overflow has been identified in the SetupUtility driver in some Lenovo Notebook products which may allow an attacker with local access and elevated privileges to execute arbitrary code. | 6.7 |
2023-08-17 | CVE-2023-4028 | Lenovo | Classic Buffer Overflow vulnerability in Lenovo products A buffer overflow has been identified in the SystemUserMasterHddPwdDxe driver in some Lenovo Notebook products which may allow an attacker with local access and elevated privileges to execute arbitrary code. | 6.7 |
2023-08-17 | CVE-2023-4029 | Lenovo | Classic Buffer Overflow vulnerability in Lenovo products A buffer overflow has been identified in the BoardUpdateAcpiDxe driver in some Lenovo ThinkPad products which may allow an attacker with local access and elevated privileges to execute arbitrary code. | 6.7 |
2023-08-17 | CVE-2023-29182 | Fortinet | Out-of-bounds Write vulnerability in Fortinet Fortios A stack-based buffer overflow vulnerability [CWE-121] in Fortinet FortiOS before 7.0.3 allows a privileged attacker to execute arbitrary code via specially crafted CLI commands, provided the attacker were able to evade FortiOS stack protections. | 6.7 |
2023-08-16 | CVE-2023-32489 | Dell | Unspecified vulnerability in Dell Powerscale Onefs Dell PowerScale OneFS 8.2x -9.5x contains a privilege escalation vulnerability. | 6.7 |
2023-08-16 | CVE-2023-32490 | Dell | Unspecified vulnerability in Dell Powerscale Onefs Dell PowerScale OneFS 8.2x -9.5x contains an improper privilege management vulnerability. | 6.7 |
2023-08-16 | CVE-2023-32494 | Dell | Unspecified vulnerability in Dell Powerscale Onefs Dell PowerScale OneFS, 8.0.x-9.5.x, contains an improper handling of insufficient privileges vulnerability. | 6.7 |
2023-08-15 | CVE-2023-20564 | AMD | Improper Input Validation vulnerability in AMD Ryzen Master and Ryzen Master Monitoring SDK Insufficient validation in the IOCTL (Input Output Control) input buffer in AMD Ryzen™ Master may permit a privileged attacker to perform memory reads/writes potentially leading to a loss of confidentiality or arbitrary kernel execution. | 6.7 |
2023-08-14 | CVE-2023-21264 | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Google Android In multiple functions of mem_protect.c, there is a possible way to access hypervisor memory due to a memory access check in the wrong place. | 6.7 | |
2023-08-14 | CVE-2023-3262 | Dataprobe | Use of Hard-coded Credentials vulnerability in Dataprobe products The Dataprobe iBoot PDU running firmware version 1.43.03312023 or earlier uses hard-coded credentials for all interactions with the internal Postgres database.A malicious agent with the ability to execute operating system commands on the device can leverage this vulnerability to read, modify, or delete arbitrary database records. | 6.7 |
2023-08-19 | CVE-2023-2971 | Typora | Path Traversal vulnerability in Typora Improper path handling in Typora before 1.7.0-dev on Windows and Linux allows a crafted webpage to access local files and exfiltrate them to remote web servers via "typora://app/typemark/". | 6.5 |
2023-08-18 | CVE-2023-40037 | Apache | Incorrect Comparison vulnerability in Apache Nifi 1.21.0/1.22.0 Apache NiFi 1.21.0 through 1.23.0 support JDBC and JNDI JMS access in several Processors and Controller Services with connection URL validation that does not provide sufficient protection against crafted inputs. | 6.5 |
2023-08-17 | CVE-2023-31492 | Zohocorp | Insufficiently Protected Credentials vulnerability in Zohocorp Manageengine Admanager Plus Zoho ManageEngine ADManager Plus version 7182 and prior disclosed the default passwords for the account restoration of unauthorized domains to the authenticated users. | 6.5 |
2023-08-17 | CVE-2023-40168 | Turbowarp | Incorrect Authorization vulnerability in Turbowarp Desktop TurboWarp is a desktop application that compiles scratch projects to JavaScript. | 6.5 |
2023-08-16 | CVE-2023-20111 | Cisco | Unspecified vulnerability in Cisco Identity Services Engine A vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to access sensitive information. This vulnerability is due to the improper storage of sensitive information within the web-based management interface. | 6.5 |
2023-08-16 | CVE-2023-20221 | Cisco | Cross-Site Request Forgery (CSRF) vulnerability in Cisco products A vulnerability in the web-based management interface of Cisco IP Phone 6800, 7800, and 8800 Series with Multiplatform Firmware could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack against a user of the web-based management interface of an affected system. This vulnerability is due to insufficient CSRF protections for the web-based management interface of an affected device. | 6.5 |
2023-08-16 | CVE-2023-40345 | Jenkins | Insufficiently Protected Credentials vulnerability in Jenkins Delphix Jenkins Delphix Plugin 3.0.2 and earlier does not set the appropriate context for credentials lookup, allowing attackers with Overall/Read permission to access and capture credentials they are not entitled to. | 6.5 |
2023-08-16 | CVE-2023-40347 | Jenkins | Insufficiently Protected Credentials vulnerability in Jenkins Maven Artifact Choicelistprovider (Nexus) Jenkins Maven Artifact ChoiceListProvider (Nexus) Plugin 1.14 and earlier does not set the appropriate context for credentials lookup, allowing attackers with Item/Configure permission to access and capture credentials they are not entitled to. | 6.5 |
2023-08-16 | CVE-2023-32491 | Dell | Information Exposure Through Log Files vulnerability in Dell Powerscale Onefs Dell PowerScale OneFS 9.5.0.x, contains an insertion of sensitive information into log file vulnerability in SNMPv3. | 6.5 |
2023-08-15 | CVE-2023-40028 | Ghost | Link Following vulnerability in Ghost Ghost is an open source content management system. | 6.5 |
2023-08-15 | CVE-2023-4345 | Broadcom | Unspecified vulnerability in Broadcom Raid Controller web Interface 51.12.02779 Broadcom RAID Controller web interface is vulnerable client-side control bypass leads to unauthorized data access for low privileged user | 6.5 |
2023-08-15 | CVE-2023-4350 | Google Debian Fedoraproject | Inappropriate implementation in Fullscreen in Google Chrome on Android prior to 116.0.5845.96 allowed a remote attacker to potentially spoof the contents of the Omnibox (URL bar) via a crafted HTML page. | 6.5 |
2023-08-15 | CVE-2023-4367 | Google Debian Fedoraproject | Insufficient policy enforcement in Extensions API in Google Chrome prior to 116.0.5845.96 allowed an attacker who convinced a user to install a malicious extension to bypass an enterprise policy via a crafted HTML page. | 6.5 |
2023-08-15 | CVE-2023-38851 | Libxls Project | Out-of-bounds Write vulnerability in Libxls Project Libxls 1.6.2 Buffer Overflow vulnerability in libxlsv.1.6.2 allows a remote attacker to execute arbitrary code and cause a denial of service via a crafted XLS file to the xls_parseWorkBook function in xls.c:1018. | 6.5 |
2023-08-15 | CVE-2023-38852 | Libxls Project | Out-of-bounds Write vulnerability in Libxls Project Libxls 1.6.2 Buffer Overflow vulnerability in libxlsv.1.6.2 allows a remote attacker to execute arbitrary code and cause a denial of service via a crafted XLS file to the unicode_decode_wcstombs function in xlstool.c:266. | 6.5 |
2023-08-15 | CVE-2023-38853 | Libxls Project | Out-of-bounds Write vulnerability in Libxls Project Libxls 1.6.2 Buffer Overflow vulnerability in libxlsv.1.6.2 allows a remote attacker to execute arbitrary code and cause a denial of service via a crafted XLS file to the xls_parseWorkBook function in xls.c:1015. | 6.5 |
2023-08-15 | CVE-2023-38854 | Libxls Project | Out-of-bounds Write vulnerability in Libxls Project Libxls 1.6.2 Buffer Overflow vulnerability in libxlsv.1.6.2 allows a remote attacker to execute arbitrary code and cause a denial of service via a crafted XLS file to the transcode_latin1_to_utf8 function in xlstool.c:296. | 6.5 |
2023-08-15 | CVE-2023-38855 | Libxls Project | Out-of-bounds Write vulnerability in Libxls Project Libxls 1.6.2 Buffer Overflow vulnerability in libxlsv.1.6.2 allows a remote attacker to execute arbitrary code and cause a denial of service via a crafted XLS file to the get_string function in xlstool.c:395. | 6.5 |
2023-08-15 | CVE-2023-38856 | Libxls Project | Out-of-bounds Write vulnerability in Libxls Project Libxls 1.6.2 Buffer Overflow vulnerability in libxlsv.1.6.2 allows a remote attacker to execute arbitrary code and cause a denial of service via a crafted XLS file to the get_string function in xlstool.c:411. | 6.5 |
2023-08-15 | CVE-2023-38858 | Faad2 Project | Out-of-bounds Write vulnerability in Faad2 Project Faad2 2.10.1 Buffer Overflow vulnerability infaad2 v.2.10.1 allows a remote attacker to execute arbitrary code and cause a denial of service via the mp4info function in mp4read.c:1039. | 6.5 |
2023-08-14 | CVE-2023-28480 | Tigergraph | Unrestricted Upload of File with Dangerous Type vulnerability in Tigergraph 3.7.0 An issue was discovered in Tigergraph Enterprise 3.7.0. | 6.5 |
2023-08-14 | CVE-2023-28482 | Tigergraph | Unrestricted Upload of File with Dangerous Type vulnerability in Tigergraph 3.7.0 An issue was discovered in Tigergraph Enterprise 3.7.0. | 6.5 |
2023-08-14 | CVE-2023-28768 | Zyxel | Improper Handling of Exceptional Conditions vulnerability in Zyxel products Improper frame handling in the Zyxel XGS2220-30 firmware version V4.80(ABXN.1), XMG1930-30 firmware version V4.80(ACAR.1), and XS1930-10 firmware version V4.80(ABQE.1) could allow an unauthenticated LAN-based attacker to cause denial-of-service (DoS) conditions by sending crafted frames to an affected switch. | 6.5 |
2023-08-14 | CVE-2023-40354 | Mariadb | Cleartext Storage of Sensitive Information vulnerability in Mariadb Maxscale An issue was discovered in MariaDB MaxScale before 23.02.3. | 6.5 |
2023-08-14 | CVE-2023-40294 | 0Branch | Out-of-bounds Write vulnerability in 0Branch Boron 2.0.8 libboron in Boron 2.0.8 has a heap-based buffer overflow in ur_parseBlockI at i_parse_blk.c. | 6.5 |
2023-08-16 | CVE-2023-28075 | Dell | Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in Dell products Dell BIOS contain a Time-of-check Time-of-use vulnerability in BIOS. | 6.3 |
2023-08-20 | CVE-2023-4451 | Agentejo | Cross-site Scripting vulnerability in Agentejo Cockpit Cross-site Scripting (XSS) - Reflected in GitHub repository cockpit-hq/cockpit prior to 2.6.4. | 6.1 |
2023-08-20 | CVE-2023-4434 | Hamza417 | Missing Authorization vulnerability in Hamza417 Inure Missing Authorization in GitHub repository hamza417/inure prior to build88. | 6.1 |
2023-08-19 | CVE-2023-4432 | Agentejo | Cross-site Scripting vulnerability in Agentejo Cockpit Cross-site Scripting (XSS) - Reflected in GitHub repository cockpit-hq/cockpit prior to 2.6.4. | 6.1 |
2023-08-18 | CVE-2023-38910 | Cszcms | Cross-site Scripting vulnerability in Cszcms CSZ CMS 1.3.0 CSZ CMS 1.3.0 is vulnerable to cross-site scripting (XSS), which allows attackers to execute arbitrary web scripts or HTML via a crafted payload entered in the 'Carousel Wiget' section and choosing our carousel widget created above, in 'Photo URL' and 'YouTube URL' plugin. | 6.1 |
2023-08-18 | CVE-2023-32122 | Spiffyplugins | Cross-site Scripting vulnerability in Spiffyplugins Spiffy Calendar Unauth. | 6.1 |
2023-08-18 | CVE-2023-30499 | Foliovision | Cross-site Scripting vulnerability in Foliovision FV Flowplayer Video Player Unauth. | 6.1 |
2023-08-18 | CVE-2023-32108 | Eduva | Cross-site Scripting vulnerability in Eduva Albo Pretorio Online Unauth. | 6.1 |
2023-08-18 | CVE-2023-32109 | Eduva | Cross-site Scripting vulnerability in Eduva Albo Pretorio Online Unauth. | 6.1 |
2023-08-18 | CVE-2023-31218 | Pluginus | Cross-site Scripting vulnerability in Pluginus Wolf - Wordpress Posts Bulk Editor and products Manager Professional Cross-Site Request Forgery (CSRF) leading to Stored Cross-Site Scripting (XSS) vulnerability in realmag777 WOLF – WordPress Posts Bulk Editor and Manager Professional plugin <= 1.0.6 versions. | 6.1 |
2023-08-18 | CVE-2023-32105 | WP Pizza | Cross-site Scripting vulnerability in Wp-Pizza Wppizza Unauth. | 6.1 |
2023-08-18 | CVE-2023-32106 | Fahad Mahmood | Cross-site Scripting vulnerability in Fahad Mahmood WP Docs Unauth. | 6.1 |
2023-08-18 | CVE-2023-32107 | AYS PRO | Cross-site Scripting vulnerability in Ays-Pro Photo Gallery Unauth. | 6.1 |
2023-08-18 | CVE-2023-31094 | Wptrio | Cross-site Scripting vulnerability in Wptrio Stock Sync for Woocommerce Unauth. | 6.1 |
2023-08-17 | CVE-2023-39971 | Acymailing | Cross-site Scripting vulnerability in Acymailing 6.7.0 Improper Neutralization of Input During Web Page Generation vulnerability in AcyMailing Enterprise component for Joomla allows XSS. | 6.1 |
2023-08-17 | CVE-2023-28693 | Balasahebbhise | Cross-site Scripting vulnerability in Balasahebbhise Advanced Youtube Channel Pagination Unauth. | 6.1 |
2023-08-17 | CVE-2023-31072 | Praveengoswami | Cross-site Scripting vulnerability in Praveengoswami Advanced Category Template 0.1 Unauth. | 6.1 |
2023-08-17 | CVE-2023-26530 | Updraftplus | Cross-site Scripting vulnerability in Updraftplus Updraft Unauth. | 6.1 |
2023-08-17 | CVE-2023-31074 | Hupe13 | Cross-site Scripting vulnerability in Hupe13 Extensions for Leaflet MAP Unauth. | 6.1 |
2023-08-17 | CVE-2023-30877 | Icopydoc | Cross-site Scripting vulnerability in Icopydoc XML for Google Merchant Center Unauth. | 6.1 |
2023-08-17 | CVE-2023-31071 | Ylefebvre | Cross-site Scripting vulnerability in Ylefebvre Modal Dialog Unauth. | 6.1 |
2023-08-17 | CVE-2023-31076 | Really Simple Plugins | Cross-site Scripting vulnerability in Really-Simple-Plugins Recipe Maker for Your Food Blog From ZIP Recipes Unauth. | 6.1 |
2023-08-16 | CVE-2023-20222 | Cisco | Cross-site Scripting vulnerability in Cisco products A vulnerability in the web-based management interface of Cisco Prime Infrastructure and Cisco Evolved Programmable Network Manager (EPNM) could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface on an affected device. The vulnerability is due to insufficient validation of user-supplied input by the web-based management interface of an affected system. | 6.1 |
2023-08-16 | CVE-2023-20228 | Cisco | Cross-site Scripting vulnerability in Cisco products A vulnerability in the web-based management interface of Cisco Integrated Management Controller (IMC) could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface. This vulnerability is due to insufficient validation of user input. | 6.1 |
2023-08-16 | CVE-2023-20242 | Cisco | Cross-site Scripting vulnerability in Cisco products A vulnerability in the web-based management interface of Cisco Unified Communications Manager (Unified CM), Cisco Unified CM Session Management Edition (Unified CM SME), and Cisco Unified Communications Manager IM & Presence Service (Unified CM IM&P) could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface. This vulnerability exists because the web-based management interface does not properly validate user-supplied input. | 6.1 |
2023-08-16 | CVE-2023-0058 | Tiempo | Unspecified vulnerability in Tiempo The Tiempo.com WordPress plugin through 0.1.2 does not have CSRF check when creating and editing its shortcode, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack | 6.1 |
2023-08-16 | CVE-2023-1465 | Wpeasypay | Unspecified vulnerability in Wpeasypay WP Easypay The WP EasyPay WordPress plugin before 4.1 does not escape some generated URLs before outputting them back in pages, leading to Reflected Cross-Site Scripting issues which could be used against high privilege users such as admin | 6.1 |
2023-08-16 | CVE-2023-2122 | 10Web | Unspecified vulnerability in 10Web Image Optimizer The Image Optimizer by 10web WordPress plugin before 1.0.27 does not sanitise and escape the iowd_tabs_active parameter before rendering it in the plugin admin panel, leading to a reflected Cross-Site Scripting vulnerability, allowing an attacker to trick a logged in admin to execute arbitrary javascript by clicking a link. | 6.1 |
2023-08-16 | CVE-2023-2123 | Wpinventory | Unspecified vulnerability in Wpinventory WP Inventory Manager The WP Inventory Manager WordPress plugin before 2.1.0.13 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting. | 6.1 |
2023-08-16 | CVE-2023-2272 | Tiempo | Unspecified vulnerability in Tiempo The Tiempo.com WordPress plugin through 0.1.2 does not sanitise and escape the page parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin | 6.1 |
2023-08-16 | CVE-2023-30779 | Daggerheart | Cross-site Scripting vulnerability in Daggerheart Query Wrangler Unauth. | 6.1 |
2023-08-16 | CVE-2023-30871 | Webdados | Cross-site Scripting vulnerability in Webdados Stock Exporter for Woocommerce Unauth. | 6.1 |
2023-08-16 | CVE-2023-30473 | Icopydoc | Cross-site Scripting vulnerability in Icopydoc YML for Yandex Market Unauth. | 6.1 |
2023-08-16 | CVE-2023-30782 | Churchadminplugin | Cross-site Scripting vulnerability in Churchadminplugin Church Admin Unauth. | 6.1 |
2023-08-16 | CVE-2023-30785 | I13Websolution | Cross-site Scripting vulnerability in I13Websolution Video Grid Unauth. | 6.1 |
2023-08-16 | CVE-2023-39507 | Recruit | Missing Authorization vulnerability in Recruit Rikunabi Next Improper authorization in the custom URL scheme handler in "Rikunabi NEXT" App for Android prior to ver. | 6.1 |
2023-08-16 | CVE-2023-26140 | Excalidraw | Cross-site Scripting vulnerability in Excalidraw Versions of the package @excalidraw/excalidraw from 0.0.0 are vulnerable to Cross-site Scripting (XSS) via embedded links in whiteboard objects due to improper input sanitization. | 6.1 |
2023-08-15 | CVE-2023-4371 | Phprecdb | Cross-site Scripting vulnerability in PHPrecdb 1.3.1 A vulnerability was found in phpRecDB 1.3.1. | 6.1 |
2023-08-15 | CVE-2023-30498 | Codeflavors | Cross-site Scripting vulnerability in Codeflavors Vimeotheque Unauth. | 6.1 |
2023-08-15 | CVE-2023-30747 | Wpgem | Cross-site Scripting vulnerability in Wpgem Woocommerce Easy Duplicate Product Unauth. | 6.1 |
2023-08-14 | CVE-2022-4953 | Elementor | Unspecified vulnerability in Elementor Website Builder The Elementor Website Builder WordPress plugin before 3.5.5 does not filter out user-controlled URLs from being loaded into the DOM. | 6.1 |
2023-08-14 | CVE-2023-2803 | Themefic | Unspecified vulnerability in Themefic Ultimate Addons for Contact Form 7 The Ultimate Addons for Contact Form 7 WordPress plugin before 3.1.29 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin. | 6.1 |
2023-08-14 | CVE-2023-40024 | Nexb | Cross-site Scripting vulnerability in Nexb Scancode.Io ScanCode.io is a server to script and automate software composition analysis pipelines. | 6.1 |
2023-08-14 | CVE-2023-28535 | Commoninja | Cross-site Scripting vulnerability in Commoninja Paytm Payment Donation Unauth. | 6.1 |
2023-08-14 | CVE-2023-30489 | I13Websolution | Cross-site Scripting vulnerability in I13Websolution Email Subscription Popup Unauth. | 6.1 |
2023-08-14 | CVE-2023-30754 | WP Foxly | Cross-site Scripting vulnerability in WP Foxly Adfoxly 1.8.5 Unauth. | 6.1 |
2023-08-14 | CVE-2023-30475 | Couponaffiliates | Cross-site Scripting vulnerability in Couponaffiliates Woocommerce Affiliate Unauth. | 6.1 |
2023-08-14 | CVE-2023-30483 | Kibokolabs | Cross-site Scripting vulnerability in Kibokolabs Watu Quiz Unauth. | 6.1 |
2023-08-14 | CVE-2023-4321 | Agentejo | Cross-site Scripting vulnerability in Agentejo Cockpit Cross-site Scripting (XSS) - Stored in GitHub repository cockpit-hq/cockpit prior to 2.4.3. | 6.1 |
2023-08-17 | CVE-2023-4394 | Linux | Use After Free vulnerability in Linux Kernel A use-after-free flaw was found in btrfs_get_dev_args_from_path in fs/btrfs/volumes.c in btrfs file-system in the Linux Kernel. | 6.0 |
2023-08-17 | CVE-2023-40251 | Genians | Missing Encryption of Sensitive Data vulnerability in Genians Genian NAC and Genian Ztna Missing Encryption of Sensitive Data vulnerability in Genians Genian NAC V4.0, Genians Genian NAC V5.0, Genians Genian NAC Suite V5.0, Genians Genian ZTNA allows Man in the Middle Attack.This issue affects Genian NAC V4.0: from V4.0.0 through V4.0.155; Genian NAC V5.0: from V5.0.0 through V5.0.42 (Revision 117460); Genian NAC Suite V5.0: from V5.0.0 through V5.0.54; Genian ZTNA: from V6.0.0 through V6.0.15. | 5.9 |
2023-08-16 | CVE-2023-4384 | Maximatech | Missing Encryption of Sensitive Data vulnerability in Maximatech Portal Executivo 21.9.1.140 A vulnerability has been found in MaximaTech Portal Executivo 21.9.1.140 and classified as problematic. | 5.9 |
2023-08-16 | CVE-2023-40343 | Jenkins | Information Exposure Through Discrepancy vulnerability in Jenkins Tuleap Authentication Jenkins Tuleap Authentication Plugin 1.1.20 and earlier uses a non-constant time comparison function when validating an authentication token allowing attackers to use statistical methods to obtain a valid authentication token. | 5.9 |
2023-08-20 | CVE-2023-4435 | Hamza417 | Improper Input Validation vulnerability in Hamza417 Inure Improper Input Validation in GitHub repository hamza417/inure prior to build88. | 5.5 |
2023-08-18 | CVE-2023-27471 | Insyde | Unspecified vulnerability in Insyde Insydeh2O An issue was discovered in Insyde InsydeH2O with kernel 5.0 through 5.5. | 5.5 |
2023-08-17 | CVE-2023-38905 | Jeecg | SQL Injection vulnerability in Jeecg Boot SQL injection vulnerability in Jeecg-boot v.3.5.0 and before allows a local attacker to cause a denial of service via the Benchmark, PG_Sleep, DBMS_Lock.Sleep, Waitfor, DECODE, and DBMS_PIPE.RECEIVE_MESSAGE functions. | 5.5 |
2023-08-17 | CVE-2023-39741 | Long Range ZIP Project | Out-of-bounds Write vulnerability in Long Range ZIP Project Long Range ZIP 0.651 lrzip v0.651 was discovered to contain a heap overflow via the libzpaq::PostProcessor::write(int) function at /libzpaq/libzpaq.cpp. | 5.5 |
2023-08-16 | CVE-2023-20217 | Cisco | Unspecified vulnerability in Cisco products A vulnerability in the CLI of Cisco ThousandEyes Enterprise Agent, Virtual Appliance installation type, could allow an authenticated, local attacker to elevate privileges on an affected device. This vulnerability is due to insufficient input validation by the operating system CLI. | 5.5 |
2023-08-16 | CVE-2023-4385 | Linux | NULL Pointer Dereference vulnerability in Linux Kernel A NULL pointer dereference flaw was found in dbFree in fs/jfs/jfs_dmap.c in the journaling file system (JFS) in the Linux Kernel. | 5.5 |
2023-08-16 | CVE-2023-2737 | Thalesgroup | Incorrect Default Permissions vulnerability in Thalesgroup Safenet Authentication Service 3.4.0 Improper log permissions in SafeNet Authentication Service Version 3.4.0 on Windows allows an authenticated attacker to cause a denial of service via local privilege escalation. | 5.5 |
2023-08-16 | CVE-2023-39250 | Dell | Information Exposure Through Source Code vulnerability in Dell products Dell Storage Integration Tools for VMware (DSITV) and Dell Storage vSphere Client Plugin (DSVCP) versions prior to 6.1.1 and Replay Manager for VMware (RMSV) versions prior to 3.1.2 contain an information disclosure vulnerability. | 5.5 |
2023-08-15 | CVE-2023-4327 | Broadcom | Unspecified vulnerability in Broadcom Raid Controller web Interface 51.12.02779 Broadcom RAID Controller web interface is vulnerable to exposure of sensitive data and the keys used for encryption are accessible to any local user on Linux | 5.5 |
2023-08-15 | CVE-2023-4328 | Broadcom | Unspecified vulnerability in Broadcom Raid Controller web Interface 51.12.02779 Broadcom RAID Controller web interface is vulnerable to exposure of sensitive data and the keys used for encryption are accessible to any local user on Windows | 5.5 |
2023-08-15 | CVE-2023-4333 | Broadcom | Unspecified vulnerability in Broadcom Raid Controller web Interface 51.12.02779 Broadcom RAID Controller web interface doesn’t enforce SSL cipher ordering by server | 5.5 |
2023-08-15 | CVE-2023-38840 | Bitwarden | Unspecified vulnerability in Bitwarden Bitwarden Desktop 2023.7.0 and below allows an attacker with local access to obtain sensitive information via the Bitwarden.exe process. | 5.5 |
2023-08-15 | CVE-2023-38850 | Msweet | Classic Buffer Overflow vulnerability in Msweet Codedoc 3.7 Buffer Overflow vulnerability in Michaelrsweet codedoc v.3.7 allows an attacker to cause a denial of service via the codedoc.c:1742 comppnent. | 5.5 |
2023-08-15 | CVE-2023-38857 | Faad2 Project | Out-of-bounds Write vulnerability in Faad2 Project Faad2 2.10.1 Buffer Overflow vulnerability infaad2 v.2.10.1 allows a remote attacker to execute arbitrary code and cause a denial of service via the stcoin function in mp4read.c. | 5.5 |
2023-08-15 | CVE-2023-24478 | Intel | Use of Insufficiently Random Values vulnerability in Intel Quartus Prime Use of insufficiently random values for some Intel Agilex(R) software included as part of Intel(R) Quartus(R) Prime Pro Edition for linux before version 22.4 may allow an authenticated user to potentially enable information disclosure via local access. | 5.5 |
2023-08-14 | CVE-2022-22646 | Apple | Unspecified vulnerability in Apple Macos 12.0.0/12.0.1/12.1 This issue was addressed by removing the vulnerable code. | 5.5 |
2023-08-14 | CVE-2022-22655 | Apple | Unspecified vulnerability in Apple Ipados, Iphone OS and Macos An access issue was addressed with improvements to the sandbox. | 5.5 |
2023-08-14 | CVE-2022-26699 | Apple | Unspecified vulnerability in Apple Macos A logic issue was addressed with improved state management. | 5.5 |
2023-08-14 | CVE-2022-46722 | Apple | Unspecified vulnerability in Apple Macos A logic issue was addressed with improved checks. | 5.5 |
2023-08-14 | CVE-2023-27939 | Apple | Out-of-bounds Read vulnerability in Apple Macos An out-of-bounds read was addressed with improved input validation. | 5.5 |
2023-08-14 | CVE-2023-27947 | Apple | Out-of-bounds Read vulnerability in Apple Macos An out-of-bounds read was addressed with improved input validation. | 5.5 |
2023-08-14 | CVE-2023-27948 | Apple | Out-of-bounds Read vulnerability in Apple Macos An out-of-bounds read was addressed with improved input validation. | 5.5 |
2023-08-14 | CVE-2023-28199 | Apple | Out-of-bounds Read vulnerability in Apple Macos An out-of-bounds read issue existed that led to the disclosure of kernel memory. | 5.5 |
2023-08-14 | CVE-2023-21230 | Improper Check for Unusual or Exceptional Conditions vulnerability in Google Android 11.0/13.0 In onAccessPointChanged of AccessPointPreference.java, there is a possible way for unprivileged apps to receive a broadcast about WiFi access point change and its BSSID or SSID due to a precondition check failure. | 5.5 | |
2023-08-14 | CVE-2023-21234 | Missing Authorization vulnerability in Google Android 11.0/13.0 In launchConfirmationActivity of ChooseLockSettingsHelper.java, there is a possible way to enable developer options without the lockscreen PIN due to a missing permission check. | 5.5 | |
2023-08-14 | CVE-2023-21271 | Out-of-bounds Read vulnerability in Google Android 12.0/12.1/13.0 In parseInputs of ShimPreparedModel.cpp, there is a possible out of bounds read due to improper input validation. | 5.5 | |
2023-08-14 | CVE-2023-21274 | Out-of-bounds Read vulnerability in Google Android 12.0/12.1/13.0 In convertSubgraphFromHAL of ShimConverter.cpp, there is a possible out of bounds read due to a missing bounds check. | 5.5 | |
2023-08-14 | CVE-2023-21276 | Use of Uninitialized Resource vulnerability in Google Android 12.0/12.1/13.0 In writeToParcel of CursorWindow.cpp, there is a possible information disclosure due to uninitialized data. | 5.5 | |
2023-08-14 | CVE-2023-21277 | Unspecified vulnerability in Google Android 12.0/12.1/13.0 In visitUris of RemoteViews.java, there is a possible way to reveal images across users due to a missing permission check. | 5.5 | |
2023-08-14 | CVE-2023-21279 | Unspecified vulnerability in Google Android 12.0/12.1/13.0 In visitUris of RemoteViews.java, there is a possible cross-user media read due to a confused deputy. | 5.5 | |
2023-08-14 | CVE-2023-21280 | Resource Exhaustion vulnerability in Google Android 12.0/12.1/13.0 In setMediaButtonBroadcastReceiver of MediaSessionRecord.java, there is a possible permanent DoS due to resource exhaustion. | 5.5 | |
2023-08-14 | CVE-2023-21283 | Unspecified vulnerability in Google Android In multiple functions of StatusHints.java, there is a possible way to reveal images across users due to a confused deputy. | 5.5 | |
2023-08-14 | CVE-2023-21284 | Improper Input Validation vulnerability in Google Android In multiple functions of DevicePolicyManager.java, there is a possible way to prevent enabling the Find my Device feature due to improper input validation. | 5.5 | |
2023-08-14 | CVE-2023-21285 | Unspecified vulnerability in Google Android In setMetadata of MediaSessionRecord.java, there is a possible way to view another user's images due to a confused deputy. | 5.5 | |
2023-08-14 | CVE-2023-21288 | Missing Authorization vulnerability in Google Android In visitUris of Notification.java, there is a possible way to reveal images across users due to a missing permission check. | 5.5 | |
2023-08-14 | CVE-2023-21289 | Unspecified vulnerability in Google Android In multiple locations, there is a possible bypass of a multi user security boundary due to a confused deputy. | 5.5 | |
2023-08-14 | CVE-2023-21290 | Race Condition vulnerability in Google Android In update of MmsProvider.java, there is a possible way to bypass file permission checks due to a race condition. | 5.5 | |
2023-08-14 | CVE-2023-21292 | Unspecified vulnerability in Google Android In openContentUri of ActivityManagerService.java, there is a possible way for a third party app to obtain restricted files due to a confused deputy. | 5.5 | |
2023-08-14 | CVE-2023-21267 | Unspecified vulnerability in Google Android In multiple functions of KeyguardViewMediator.java, there is a possible way to bypass lockdown mode with screen pinning due to a logic error in the code. | 5.5 | |
2023-08-14 | CVE-2023-21268 | Path Traversal vulnerability in Google Android In update of MmsProvider.java, there is a possible way to change directory permissions due to a path traversal error. | 5.5 | |
2023-08-14 | CVE-2023-40360 | Qemu | NULL Pointer Dereference vulnerability in Qemu QEMU through 8.0.4 accesses a NULL pointer in nvme_directive_receive in hw/nvme/ctrl.c because there is no check for whether an endurance group is configured before checking whether Flexible Data Placement is enabled. | 5.5 |
2023-08-14 | CVE-2023-40305 | GNU | Out-of-bounds Write vulnerability in GNU Indent 2.2.13 GNU indent 2.2.13 has a heap-based buffer overflow in search_brace in indent.c via a crafted file. | 5.5 |
2023-08-19 | CVE-2023-4433 | Agentejo | Cross-site Scripting vulnerability in Agentejo Cockpit Cross-site Scripting (XSS) - Stored in GitHub repository cockpit-hq/cockpit prior to 2.6.4. | 5.4 |
2023-08-18 | CVE-2023-38911 | Cszcms | Cross-site Scripting vulnerability in Cszcms CSZ CMS 1.3.0 A Cross-Site Scripting (XSS) vulnerability in CSZ CMS 1.3.0 allows attackers to execute arbitrary code via a crafted payload to the Gallery parameter in the YouTube URL fields. | 5.4 |
2023-08-18 | CVE-2023-29387 | Juliencrego | Cross-site Scripting vulnerability in Juliencrego Manager for Icomoon Auth. | 5.4 |
2023-08-18 | CVE-2023-32103 | Themepalace | Cross-site Scripting vulnerability in Themepalace TP Education Auth. | 5.4 |
2023-08-17 | CVE-2023-28783 | Phpradar | Cross-site Scripting vulnerability in PHPradar Woocommerce Tip/Donation Auth. | 5.4 |
2023-08-17 | CVE-2023-31079 | Thechrisroberts | Cross-site Scripting vulnerability in Thechrisroberts Tippy Auth. | 5.4 |
2023-08-17 | CVE-2023-28622 | Tridenttechnolabs | Cross-site Scripting vulnerability in Tridenttechnolabs Easy Slider Revolution Auth. | 5.4 |
2023-08-17 | CVE-2023-4395 | Agentejo | Cross-site Scripting vulnerability in Agentejo Cockpit Cross-site Scripting (XSS) - Stored in GitHub repository cockpit-hq/cockpit prior to 2.6.4. | 5.4 |
2023-08-16 | CVE-2023-35011 | IBM | Server-Side Request Forgery (SSRF) vulnerability in IBM Cognos Analytics IBM Cognos Analytics 11.1.7, 11.2.0, and 11.2.1 is vulnerable to server-side request forgery (SSRF). | 5.4 |
2023-08-16 | CVE-2023-20201 | Cisco | Cross-site Scripting vulnerability in Cisco Prime Infrastructure Multiple vulnerabilities in the web-based management interface of Cisco Prime Infrastructure and Cisco Evolved Programmable Network Manager (EPNM) could allow an authenticated, remote attacker to conduct a stored cross-site scripting (XSS) attack against a user of the interface on an affected device. These vulnerabilities are due to insufficient validation of user-supplied input. | 5.4 |
2023-08-16 | CVE-2023-20203 | Cisco | Cross-site Scripting vulnerability in Cisco Prime Infrastructure Multiple vulnerabilities in the web-based management interface of Cisco Prime Infrastructure and Cisco Evolved Programmable Network Manager (EPNM) could allow an authenticated, remote attacker to conduct a stored cross-site scripting (XSS) attack against a user of the interface on an affected device. These vulnerabilities are due to insufficient validation of user-supplied input. | 5.4 |
2023-08-16 | CVE-2023-20205 | Cisco | Cross-site Scripting vulnerability in Cisco Prime Infrastructure Multiple vulnerabilities in the web-based management interface of Cisco Prime Infrastructure and Cisco Evolved Programmable Network Manager (EPNM) could allow an authenticated, remote attacker to conduct a stored cross-site scripting (XSS) attack against a user of the interface on an affected device. These vulnerabilities are due to insufficient validation of user-supplied input. | 5.4 |
2023-08-16 | CVE-2023-4382 | Tdevs | Cross-site Scripting vulnerability in Tdevs Hyip RIO 2.1 A vulnerability, which was classified as problematic, has been found in tdevs Hyip Rio 2.1. | 5.4 |
2023-08-16 | CVE-2023-40342 | Jenkins | Cross-site Scripting vulnerability in Jenkins Flaky Test Handler Jenkins Flaky Test Handler Plugin 1.2.2 and earlier does not escape JUnit test contents when showing them on the Jenkins UI, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control JUnit report file contents. | 5.4 |
2023-08-16 | CVE-2023-40346 | Jenkins | Cross-site Scripting vulnerability in Jenkins Shortcut JOB Jenkins Shortcut Job Plugin 0.4 and earlier does not escape the shortcut redirection URL, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to configure shortcut jobs. | 5.4 |
2023-08-16 | CVE-2023-40350 | Jenkins | Cross-site Scripting vulnerability in Jenkins Docker Swarm Jenkins Docker Swarm Plugin 1.11 and earlier does not escape values returned from Docker before inserting them into the Docker Swarm Dashboard view, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control responses from Docker. | 5.4 |
2023-08-16 | CVE-2023-38904 | Decapcms | Cross-site Scripting vulnerability in Decapcms Netlify CMS 2.10.192 A Cross Site Scripting (XSS) vulnerability in Netlify CMS v.2.10.192 allows a remote attacker to execute arbitrary code via a crafted payload to the body parameter of the new post function. | 5.4 |
2023-08-16 | CVE-2022-4782 | Clickfunnels | Unspecified vulnerability in Clickfunnels The ClickFunnels WordPress plugin through 3.1.1 does not validate and escape one of its shortcode attributes, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attack. | 5.4 |
2023-08-16 | CVE-2023-0274 | Asandia | Unspecified vulnerability in Asandia URL Params The URL Params WordPress plugin before 2.5 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. | 5.4 |
2023-08-16 | CVE-2023-0551 | Minapper | Unspecified vulnerability in Minapper Rest API to Miniprogram The REST API TO MiniProgram WordPress plugin through 4.6.1 does not have authorisation and CSRF checks in an AJAX action, allowing ay authenticated users, such as subscriber to call and delete arbitrary attachments | 5.4 |
2023-08-16 | CVE-2023-1110 | Yellowyard | Unspecified vulnerability in Yellowyard Yellow Yard Searchbar 2.8.2 The Yellow Yard Searchbar WordPress plugin before 2.8.12 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks | 5.4 |
2023-08-16 | CVE-2023-30784 | Kayastudio | Cross-site Scripting vulnerability in Kayastudio Kaya QR Code Generator Auth. | 5.4 |
2023-08-16 | CVE-2023-3958 | Froger | Unspecified vulnerability in Froger WP Remote Users Sync The WP Remote Users Sync plugin for WordPress is vulnerable to Server Side Request Forgery via the 'notify_ping_remote' AJAX function in versions up to, and including, 1.2.12. | 5.4 |
2023-08-15 | CVE-2023-30778 | Blubrry | Cross-site Scripting vulnerability in Blubrry Powerpress Auth. | 5.4 |
2023-08-15 | CVE-2023-4308 | Plugin Planet | Unspecified vulnerability in Plugin-Planet User Submitted Posts The User Submitted Posts plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘user-submitted-content’ parameter in versions up to, and including, 20230809 due to insufficient input sanitization and output escaping. | 5.4 |
2023-08-15 | CVE-2023-4347 | Librenms | Cross-site Scripting vulnerability in Librenms Cross-site Scripting (XSS) - Reflected in GitHub repository librenms/librenms prior to 23.8.0. | 5.4 |
2023-08-14 | CVE-2023-38687 | Mskocik | Cross-site Scripting vulnerability in Mskocik Svelecte Svelecte is a flexible autocomplete/select component written in Svelte. | 5.4 |
2023-08-14 | CVE-2023-40013 | Shubhamjain | Cross-site Scripting vulnerability in Shubhamjain SVG Loader SVG Loader is a javascript library that fetches SVGs using XMLHttpRequests and injects the SVG code in the tag's place. | 5.4 |
2023-08-20 | CVE-2023-4439 | Card Holder Management System Project | Improper Validation of Specified Quantity in Input vulnerability in Card Holder Management System Project Card Holder Management System 1.0 A vulnerability was found in SourceCodester Card Holder Management System 1.0 and classified as problematic. | 5.3 |
2023-08-20 | CVE-2023-36674 | Mediawiki | Unspecified vulnerability in Mediawiki An issue was discovered in MediaWiki before 1.35.11, 1.36.x through 1.38.x before 1.38.7, 1.39.x before 1.39.4, and 1.40.x before 1.40.1. | 5.3 |
2023-08-18 | CVE-2023-4040 | Webtoffee | Unspecified vulnerability in Webtoffee Stripe Payment Plugin for Woocommerce The Stripe Payment Plugin for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the eh_callback_handler function in versions up to, and including, 3.7.9. | 5.3 |
2023-08-17 | CVE-2023-39974 | Acymailing | Exposure of Resource to Wrong Sphere vulnerability in Acymailing 6.7.0 Exposure of Sensitive Information vulnerability in AcyMailing Enterprise component for Joomla. | 5.3 |
2023-08-17 | CVE-2023-36844 | Juniper | Unspecified vulnerability in Juniper Junos A PHP External Variable Modification vulnerability in J-Web of Juniper Networks Junos OS on EX Series allows an unauthenticated, network-based attacker to control certain, important environment variables. Using a crafted request an attacker is able to modify certain PHP environment variables leading to partial loss of integrity, which may allow chaining to other vulnerabilities. This issue affects Juniper Networks Junos OS on EX Series: * All versions prior to 20.4R3-S9; * 21.1 versions 21.1R1 and later; * 21.2 versions prior to 21.2R3-S7; * 21.3 versions prior to 21.3R3-S5; * 21.4 versions prior to 21.4R3-S5; * 22.1 versions prior to 22.1R3-S4; * 22.2 versions prior to 22.2R3-S2; * 22.3 versions prior to 22.3R3-S1; * 22.4 versions prior to 22.4R2-S2, 22.4R3; * 23.2 versions prior to 23.2R1-S1, 23.2R2. | 5.3 |
2023-08-17 | CVE-2023-36846 | Juniper | Missing Authentication for Critical Function vulnerability in Juniper Junos A Missing Authentication for Critical Function vulnerability in Juniper Networks Junos OS on SRX Series allows an unauthenticated, network-based attacker to cause limited impact to the file system integrity. With a specific request to user.php that doesn't require authentication an attacker is able to upload arbitrary files via J-Web, leading to a loss of integrity for a certain part of the file system, which may allow chaining to other vulnerabilities. This issue affects Juniper Networks Junos OS on SRX Series: * All versions prior to 20.4R3-S8; * 21.1 versions 21.1R1 and later; * 21.2 versions prior to 21.2R3-S6; * 21.3 versions prior to 21.3R3-S5; * 21.4 versions prior to 21.4R3-S5; * 22.1 versions prior to 22.1R3-S3; * 22.2 versions prior to 22.2R3-S2; * 22.3 versions prior to 22.3R2-S2, 22.3R3; * 22.4 versions prior to 22.4R2-S1, 22.4R3. | 5.3 |
2023-08-17 | CVE-2023-36847 | Juniper | Missing Authentication for Critical Function vulnerability in Juniper Junos A Missing Authentication for Critical Function vulnerability in Juniper Networks Junos OS on EX Series allows an unauthenticated, network-based attacker to cause limited impact to the file system integrity. With a specific request to installAppPackage.php that doesn't require authentication an attacker is able to upload arbitrary files via J-Web, leading to a loss of integrity for a certain part of the file system, which may allow chaining to other vulnerabilities. This issue affects Juniper Networks Junos OS on EX Series: * All versions prior to 20.4R3-S8; * 21.1 versions 21.1R1 and later; * 21.2 versions prior to 21.2R3-S6; * 21.3 versions prior to 21.3R3-S5; * 21.4 versions prior to 21.4R3-S4; * 22.1 versions prior to 22.1R3-S3; * 22.2 versions prior to 22.2R3-S1; * 22.3 versions prior to 22.3R2-S2, 22.3R3; * 22.4 versions prior to 22.4R2-S1, 22.4R3. | 5.3 |
2023-08-17 | CVE-2023-39743 | Pete4Abw | Unspecified vulnerability in Pete4Abw Lzma Software Development KIT 23.01 lrzip-next LZMA v23.01 was discovered to contain an access violation via the component /bz3_decode_block src/libbz3.c. | 5.3 |
2023-08-17 | CVE-2023-4392 | Assaabloy | Cleartext Storage of Sensitive Information vulnerability in Assaabloy Control ID Gerencia web 1.30 A vulnerability was found in Control iD Gerencia Web 1.30 and classified as problematic. | 5.3 |
2023-08-16 | CVE-2023-35009 | IBM | Information Exposure Through an Error Message vulnerability in IBM Cognos Analytics IBM Cognos Analytics 11.1.7, 11.2.0, and 11.2.1 could allow a remote attacker to obtain system information without authentication which could be used in reconnaissance to gather information that could be used for future attacks. | 5.3 |
2023-08-16 | CVE-2023-20232 | Cisco | Improper Input Validation vulnerability in Cisco Unified Contact Center Express A vulnerability in the Tomcat implementation for Cisco Unified Contact Center Express (Unified CCX) could allow an unauthenticated, remote attacker to cause a web cache poisoning attack on an affected device. | 5.3 |
2023-08-16 | CVE-2023-40021 | Oppia | Information Exposure Through Discrepancy vulnerability in Oppia Oppia is an online learning platform. | 5.3 |
2023-08-16 | CVE-2023-40348 | Jenkins | Unspecified vulnerability in Jenkins Gogs The webhook endpoint in Jenkins Gogs Plugin 1.0.15 and earlier provides unauthenticated attackers information about the existence of jobs in its output. | 5.3 |
2023-08-16 | CVE-2023-40349 | Jenkins | Improper Initialization vulnerability in Jenkins Gogs Jenkins Gogs Plugin 1.0.15 and earlier improperly initializes an option to secure its webhook endpoint, allowing unauthenticated attackers to trigger builds of jobs. | 5.3 |
2023-08-15 | CVE-2023-40027 | Keystonejs | Missing Authorization vulnerability in Keystonejs Keystone Keystone is an open source headless CMS for Node.js — built with GraphQL and React. | 5.3 |
2023-08-15 | CVE-2023-4359 | Google Debian Fedoraproject | Inappropriate implementation in App Launcher in Google Chrome on iOS prior to 116.0.5845.96 allowed a remote attacker to potentially spoof elements of the security UI via a crafted HTML page. | 5.3 |
2023-08-15 | CVE-2023-4361 | Google Debian Fedoraproject | Inappropriate implementation in Autofill in Google Chrome on Android prior to 116.0.5845.96 allowed a remote attacker to bypass Autofill restrictions via a crafted HTML page. | 5.3 |
2023-08-15 | CVE-2023-38898 | Python | Unspecified vulnerability in Python 3.13.0 An issue in Python cpython v.3.7 allows an attacker to obtain sensitive information via the _asyncio._swap_current_task component. | 5.3 |
2023-08-15 | CVE-2023-32003 | Nodejs Fedoraproject | Path Traversal vulnerability in multiple products `fs.mkdtemp()` and `fs.mkdtempSync()` can be used to bypass the permission model check using a path traversal attack. | 5.3 |
2023-08-15 | CVE-2023-2916 | Revmakx | Exposure of Resource to Wrong Sphere vulnerability in Revmakx Infinitewp Client The InfiniteWP Client plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 1.11.1 via the 'admin_notice' function. | 5.3 |
2023-08-14 | CVE-2023-39950 | Siemens | Improper Input Validation vulnerability in Siemens Efibootguard efibootguard is a simple UEFI boot loader with support for safely switching between current and updated partition sets. | 5.2 |
2023-08-14 | CVE-2023-40312 | Opennms | Cross-site Scripting vulnerability in Opennms Horizon and Meridian Multiple reflected XSS were found on different JSP files with unsanitized parameters in OpenMNS Horizon 31.0.8 and versions earlier than 32.0.2 on multiple platforms that an attacker can modify to craft a malicious XSS payload. The solution is to upgrade to Meridian 2023.1.6, 2022.1.19, 2021.1.30, 2020.1.38 or Horizon 32.0.2 or newer. | 5.2 |
2023-08-18 | CVE-2023-4422 | Agentejo | Cross-site Scripting vulnerability in Agentejo Cockpit Cross-site Scripting (XSS) - Stored in GitHub repository cockpit-hq/cockpit prior to 2.6.3. | 4.8 |
2023-08-18 | CVE-2023-32130 | Danielpowney | Cross-site Scripting vulnerability in Danielpowney Multi Rating Auth. | 4.8 |
2023-08-18 | CVE-2023-31232 | Artiss | Cross-site Scripting vulnerability in Artiss Plugins List Auth. | 4.8 |
2023-08-18 | CVE-2023-31228 | Cminds | Cross-site Scripting vulnerability in Cminds CM on Demand Search and Replace Auth. | 4.8 |
2023-08-18 | CVE-2023-30875 | Allmywebneeds | Cross-site Scripting vulnerability in Allmywebneeds Logo Scheduler 1.2.0 Auth. | 4.8 |
2023-08-17 | CVE-2023-28690 | Marcosteinbrecher | Cross-site Scripting vulnerability in Marcosteinbrecher WP Browserupdate 4.5 Auth. | 4.8 |
2023-08-17 | CVE-2023-31942 | Online Travel Agency System Project | Cross-site Scripting vulnerability in Online Travel Agency System Project Online Travel Agency System 1.0 Cross Site Scripting vulnerability found in Online Travel Agency System v.1.0 allows a remote attacker to execute arbitrary code via the description parameter in insert.php. | 4.8 |
2023-08-17 | CVE-2023-34412 | Helmholz Redlion | Cross-site Scripting vulnerability in multiple products A vulnerability in Red Lion Europe mbNET/mbNET.rokey and Helmholz REX 200 and REX 250 devices with firmware lower 7.3.2 allows an authenticated remote attacker with high privileges to inject malicious HTML or JavaScript code (XSS). | 4.8 |
2023-08-17 | CVE-2023-31091 | Pradeepsinghweb | Cross-site Scripting vulnerability in Pradeepsinghweb Dynamically Register Sidebars Auth. | 4.8 |
2023-08-17 | CVE-2023-28533 | Nimbus | Cross-site Scripting vulnerability in Nimbus CAB Grid Auth. | 4.8 |
2023-08-17 | CVE-2023-30874 | Stpetedesign | Cross-site Scripting vulnerability in Stpetedesign GPS Plotter Auth. | 4.8 |
2023-08-17 | CVE-2023-30876 | Davidmichaelross | Cross-site Scripting vulnerability in Davidmichaelross Dave'S Wordpress Live Search Auth. | 4.8 |
2023-08-17 | CVE-2023-40281 | EC Cube | Cross-site Scripting vulnerability in Ec-Cube EC-CUBE 2.11.0 to 2.17.2-p1 contain a cross-site scripting vulnerability in "mail/template" and "products/product" of Management page. If this vulnerability is exploited, an arbitrary script may be executed on the web browser of the other administrator or the user who accessed the website using the product. | 4.8 |
2023-08-16 | CVE-2023-2225 | Pottie | Unspecified vulnerability in Pottie SEO Alert The SEO ALert WordPress plugin through 1.59 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | 4.8 |
2023-08-16 | CVE-2023-2254 | KO FI | Cross-site Scripting vulnerability in Ko-Fi Button The Ko-fi Button WordPress plugin before 1.3.3 does not properly some of its settings, which could allow high-privilege users to perform Stored Cross-Site Scripting (XSS) attacks even when the unfiltered_html capability is disallowed (for example in multisite setup), and we consider it a low risk. | 4.8 |
2023-08-16 | CVE-2023-30786 | Fuzzguard | Cross-site Scripting vulnerability in Fuzzguard Captcha Them ALL Auth. | 4.8 |
2023-08-14 | CVE-2023-2606 | Brutalplugins | Unspecified vulnerability in Brutalplugins WP Brutal AI The WP Brutal AI WordPress plugin before 2.06 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | 4.8 |
2023-08-14 | CVE-2023-2802 | Themefic | Unspecified vulnerability in Themefic Ultimate Addons for Contact Form 7 The Ultimate Addons for Contact Form 7 WordPress plugin before 3.1.29 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) | 4.8 |
2023-08-14 | CVE-2023-3328 | Custom Field FOR WP JOB Manager Project | Unspecified vulnerability in Custom Field for WP JOB Manager Project Custom Field for WP JOB Manager 1.1 The Custom Field For WP Job Manager WordPress plugin before 1.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) | 4.8 |
2023-08-14 | CVE-2023-3645 | Bitapps | Unspecified vulnerability in Bitapps Contact Form Builder The Contact Form Builder by Bit Form WordPress plugin before 2.2.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) | 4.8 |
2023-08-14 | CVE-2023-3721 | Lesterchan | Cross-site Scripting vulnerability in Lesterchan Wp-Email The WP-EMail WordPress plugin before 2.69.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) | 4.8 |
2023-08-14 | CVE-2023-40311 | Opennms | Cross-site Scripting vulnerability in Opennms Horizon and Meridian Multiple stored XSS were found on different JSP files with unsanitized parameters in OpenMNS Horizon 31.0.8 and versions earlier than 32.0.2 on multiple platforms that allow an attacker to store on database and then load on JSPs or Angular templates. | 4.8 |
2023-08-14 | CVE-2023-30749 | Ihomefinder | Cross-site Scripting vulnerability in Ihomefinder Optima Express + Marketboost IDX 7.3.0 Auth. | 4.8 |
2023-08-14 | CVE-2023-30751 | Icontrolwp | Cross-site Scripting vulnerability in Icontrolwp Article Directory Redux 1.0.2 Auth. | 4.8 |
2023-08-14 | CVE-2023-30752 | Gingertech | Cross-site Scripting vulnerability in Gingertech External Videos 2.0.1 Auth. | 4.8 |
2023-08-14 | CVE-2023-29097 | A3Rev | Cross-site Scripting vulnerability in A3Rev A3 Portfolio Auth. | 4.8 |
2023-08-14 | CVE-2023-30477 | Essitco | Cross-site Scripting vulnerability in Essitco Affiliate Solution Auth. | 4.8 |
2023-08-14 | CVE-2023-37070 | Code Projects | Cross-site Scripting vulnerability in Code-Projects Hospital Information System 1.0 Code Projects Hospital Information System 1.0 is vulnerable to Cross Site Scripting (XSS) | 4.8 |
2023-08-15 | CVE-2023-39841 | Etekcity | Missing Encryption of Sensitive Data vulnerability in Etekcity 3-In-1 Smart Door Lock Firmware 1.0 Missing encryption in the RFID tag of Etekcity 3-in-1 Smart Door Lock v1.0 allows attackers to create a cloned tag via brief physical proximity to the original device. | 4.6 |
2023-08-15 | CVE-2023-20560 | AMD | Improper Input Validation vulnerability in AMD Ryzen Master and Ryzen Master Monitoring SDK Insufficient validation of the IOCTL (Input Output Control) input buffer in AMD Ryzen™ Master may allow a privileged attacker to provide a null value potentially resulting in a Windows crash leading to denial of service. | 4.4 |
2023-08-17 | CVE-2023-39972 | Acymailing | Unspecified vulnerability in Acymailing 6.7.0 Improper Access Control vulnerability in AcyMailing Enterprise component for Joomla. | 4.3 |
2023-08-17 | CVE-2023-39973 | Acymailing | Unspecified vulnerability in Acymailing 6.7.0 Improper Access Control vulnerability in AcyMailing Enterprise component for Joomla. | 4.3 |
2023-08-17 | CVE-2023-3244 | Wphappycoders | Unspecified vulnerability in Wphappycoders Comments Like Dislike The Comments Like Dislike plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the restore_settings function called via an AJAX action in versions up to, and including, 1.1.9. | 4.3 |
2023-08-16 | CVE-2023-20237 | Cisco | Command Injection vulnerability in Cisco Intersight Virtual Appliance A vulnerability in Cisco Intersight Virtual Appliance could allow an unauthenticated, adjacent attacker to access internal HTTP services that are otherwise inaccessible. This vulnerability is due to insufficient restrictions on internally accessible http proxies. | 4.3 |
2023-08-16 | CVE-2023-40337 | Jenkins | Cross-Site Request Forgery (CSRF) vulnerability in Jenkins Folders A cross-site request forgery (CSRF) vulnerability in Jenkins Folders Plugin 6.846.v23698686f0f6 and earlier allows attackers to copy a view inside a folder. | 4.3 |
2023-08-16 | CVE-2023-40338 | Jenkins | Information Exposure Through Log Files vulnerability in Jenkins Folders Jenkins Folders Plugin 6.846.v23698686f0f6 and earlier displays an error message that includes an absolute path of a log file when attempting to access the Scan Organization Folder Log if no logs are available, exposing information about the Jenkins controller file system. | 4.3 |
2023-08-16 | CVE-2023-40344 | Jenkins | Missing Authorization vulnerability in Jenkins Delphix A missing permission check in Jenkins Delphix Plugin 3.0.2 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. | 4.3 |
2023-08-16 | CVE-2023-40351 | Jenkins | Cross-Site Request Forgery (CSRF) vulnerability in Jenkins Favorite View A cross-site request forgery (CSRF) vulnerability in Jenkins Favorite View Plugin 5.v77a_37f62782d and earlier allows attackers to add or remove views from another user's favorite views tab bar. | 4.3 |
2023-08-16 | CVE-2023-32488 | Dell | Unspecified vulnerability in Dell Powerscale Onefs Dell PowerScale OneFS, 8.2.x-9.5.0.x, contains an information disclosure vulnerability in NFS. | 4.3 |
2023-08-16 | CVE-2023-2271 | Tiempo | Unspecified vulnerability in Tiempo The Tiempo.com WordPress plugin through 0.1.2 does not have CSRF check when deleting its shortcode, which could allow attackers to make logged in admins delete arbitrary shortcode via a CSRF attack | 4.3 |
2023-08-16 | CVE-2023-4381 | Instantcms | Unspecified vulnerability in Instantcms Unverified Password Change in GitHub repository instantsoft/icms2 prior to 2.16.1-git. | 4.3 |
2023-08-16 | CVE-2023-4374 | Froger | Unspecified vulnerability in Froger WP Remote Users Sync The WP Remote Users Sync plugin for WordPress is vulnerable to unauthorized access of data and addition of data due to a missing capability check on the 'refresh_logs_async' functions in versions up to, and including, 1.2.11. | 4.3 |
2023-08-15 | CVE-2023-4360 | Google Debian Fedoraproject | Inappropriate implementation in Color in Google Chrome prior to 116.0.5845.96 allowed a remote attacker to obfuscate security UI via a crafted HTML page. | 4.3 |
2023-08-15 | CVE-2023-4363 | Google Debian Fedoraproject | Inappropriate implementation in WebShare in Google Chrome on Android prior to 116.0.5845.96 allowed a remote attacker to spoof the contents of a dialog URL via a crafted HTML page. | 4.3 |
2023-08-15 | CVE-2023-4364 | Google Debian Fedoraproject | Inappropriate implementation in Permission Prompts in Google Chrome prior to 116.0.5845.96 allowed a remote attacker to obfuscate security UI via a crafted HTML page. | 4.3 |
2023-08-15 | CVE-2023-4365 | Google Debian Fedoraproject | Inappropriate implementation in Fullscreen in Google Chrome prior to 116.0.5845.96 allowed a remote attacker to obfuscate security UI via a crafted HTML page. | 4.3 |
2023-08-14 | CVE-2022-46725 | Apple | Unspecified vulnerability in Apple Iphone OS A spoofing issue existed in the handling of URLs. | 4.3 |
2023-08-14 | CVE-2023-3601 | Webfactoryltd | Unspecified vulnerability in Webfactoryltd Simple Author BOX The Simple Author Box WordPress plugin before 2.52 does not verify a user ID before outputting information about that user, leading to arbitrary user information disclosure to users with a role as low as Contributor. | 4.3 |
2023-08-14 | CVE-2023-40292 | Samsung | Unspecified vulnerability in Samsung Harman Infotainment 20190525031613 Harman Infotainment 20190525031613 and later discloses the IP address via CarPlay CTRL packets. | 4.3 |
9 Low Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2023-08-16 | CVE-2023-32453 | Dell | Improper Authentication vulnerability in Dell products Dell BIOS contains an improper authentication vulnerability. | 3.9 |
2023-08-17 | CVE-2023-25647 | ZTE | Incorrect Authorization vulnerability in ZTE products There is a permission and access control vulnerability in some ZTE mobile phones. | 3.3 |
2023-08-14 | CVE-2022-32876 | Apple | Unspecified vulnerability in Apple Macos A logic issue was addressed with improved restrictions. | 3.3 |
2023-08-14 | CVE-2023-21232 | Unspecified vulnerability in Google Android 11.0/13.0 In multiple locations, there is a possible way to retrieve sensor data without permissions due to a permissions bypass. | 3.3 | |
2023-08-14 | CVE-2023-21278 | Unspecified vulnerability in Google Android 12.0/12.1/13.0 In multiple locations, there is a possible way to obscure the microphone privacy indicator due to a logic error in the code. | 3.3 | |
2023-08-18 | CVE-2023-4413 | Rootkit Hunter Project | Information Exposure Through Log Files vulnerability in Rootkit Hunter Project Rootkit Hunter 1.4.4/1.4.6 ** DISPUTED ** A vulnerability was found in rkhunter Rootkit Hunter 1.4.4/1.4.6. | 2.5 |
2023-08-15 | CVE-2023-39842 | Mydigoo | Missing Encryption of Sensitive Data vulnerability in Mydigoo Dg-Hamb Smart Home Security System Firmware 1.0 Missing encryption in the RFID tag of Digoo DG-HAMB Smart Home Security System v1.0 allows attackers to create a cloned tag via brief physical proximity to the original device. | 2.4 |
2023-08-15 | CVE-2023-39843 | Sulimet | Missing Encryption of Sensitive Data vulnerability in Sulimet 5-In-1 Smart Door Lock Firmware 1.0 Missing encryption in the RFID tag of Suleve 5-in-1 Smart Door Lock v1.0 allows attackers to create a cloned tag via brief physical proximity to the original device. | 2.4 |
2023-08-14 | CVE-2022-46724 | Apple | Unspecified vulnerability in Apple Iphone OS This issue was addressed by restricting options offered on a locked device. | 2.4 |