Weekly Vulnerabilities Reports > September 11 to 17, 2023

Overview

501 new vulnerabilities reported during this period, including 79 critical vulnerabilities and 198 high severity vulnerabilities. This weekly summary report vulnerabilities in 536 products from 218 vendors including Microsoft, Google, Siemens, Adobe, and Debian. Vulnerabilities are notably categorized as "Cross-site Scripting", "SQL Injection", "Out-of-bounds Write", "Use After Free", and "Improper Authentication".

  • 350 reported vulnerabilities are remotely exploitables.
  • 4 reported vulnerabilities have public exploit available.
  • 166 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
  • 292 reported vulnerabilities are exploitable by an anonymous user.
  • Microsoft has the most reported vulnerabilities, with 64 reported vulnerabilities.
  • Microsoft has the most reported critical vulnerabilities, with 4 reported vulnerabilities.

TOTAL
VULNERABILITIES
CRITICAL RISK
VULNERABILITIES
HIGH RISK
VULNERABILITIES
MEDIUM RISK
VULNERABILITIES
LOW RISK
VULNERABILITIES
REMOTELY
EXPLOITABLE
LOCALLY
EXPLOITABLE
EXPLOIT
AVAILABLE
EXPLOITABLE
ANONYMOUSLY
AFFECTING
WEB APPLICATION

Vulnerability Details

The following table list reported vulnerabilities for the period covered by this report:

Expand/Hide

79 Critical Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2023-09-12 CVE-2023-40622 SAP Information Exposure vulnerability in SAP Businessobjects Business Intelligence 420/430

SAP BusinessObjects Business Intelligence Platform (Promotion Management) - versions 420, 430, under certain condition allows an authenticated attacker to view sensitive information which is otherwise restricted.

9.9
2023-09-17 CVE-2023-5020 07Fly SQL Injection vulnerability in 07Fly Customer Relationship Management 2.0

A vulnerability, which was classified as critical, has been found in 07FLY CRM V2.

9.8
2023-09-17 CVE-2023-5018 Oretnom23 SQL Injection vulnerability in Oretnom23 Lost and Found Information System 1.0

A vulnerability classified as critical has been found in SourceCodester Lost and Found Information System 1.0.

9.8
2023-09-17 CVE-2023-5019 Tongda2000 SQL Injection vulnerability in Tongda2000 Tongda Office Anywhere

A vulnerability classified as critical was found in Tongda OA.

9.8
2023-09-17 CVE-2023-5017 Lmxcms SQL Injection vulnerability in Lmxcms

A vulnerability was found in lmxcms up to 1.41.

9.8
2023-09-17 CVE-2023-5016 Ssssssss Deserialization of Untrusted Data vulnerability in Ssssssss Spider-Flow 0.4.3

A vulnerability was found in spider-flow up to 0.5.0.

9.8
2023-09-17 CVE-2023-5014 Food Ordering Website Project SQL Injection vulnerability in Food Ordering Website Project Food Ordering Website 1.0

A vulnerability was found in Sakshi2610 Food Ordering Website 1.0 and classified as critical.

9.8
2023-09-16 CVE-2023-42336 Netis Systems Use of Hard-coded Credentials vulnerability in Netis-Systems Wf2409E Firmware 1.0.1.705

An issue in NETIS SYSTEMS WF2409Ev4 v.1.0.1.705 allows a remote attacker to execute arbitrary code and obtain sensitive information via the password parameter in the /etc/shadow.sample component.

9.8
2023-09-15 CVE-2023-0923 Redhat Missing Authorization vulnerability in Redhat Openshift Data Science

A flaw was found in the Kubernetes service for notebooks in RHODS, where it does not prevent pods from other namespaces and applications from making requests to the Jupyter API.

9.8
2023-09-15 CVE-2023-41887 Openrefine SQL Injection vulnerability in Openrefine

OpenRefine is a powerful free, open source tool for working with messy data.

9.8
2023-09-15 CVE-2023-38507 Strapi Allocation of Resources Without Limits or Throttling vulnerability in Strapi

Strapi is the an open-source headless content management system.

9.8
2023-09-15 CVE-2023-28614 Freewillsolutions OS Command Injection vulnerability in Freewillsolutions Smart Trade 20.01.01.04

Freewill iFIS (aka SMART Trade) 20.01.01.04 allows OS Command Injection via shell metacharacters to a report page.

9.8
2023-09-15 CVE-2023-42398 Zzcms Server-Side Request Forgery (SSRF) vulnerability in Zzcms 2023

An issue in zzCMS v.2023 allows a remote attacker to execute arbitrary code and obtain sensitive information via the ueditor component in controller.php.

9.8
2023-09-15 CVE-2023-4988 Laiketui Unrestricted Upload of File with Dangerous Type vulnerability in Laiketui

A vulnerability, which was classified as problematic, was found in Bettershop LaikeTui.

9.8
2023-09-15 CVE-2023-4661 Saphira SQL Injection vulnerability in Saphira Connect

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Saphira Saphira Connect allows SQL Injection.This issue affects Saphira Connect: before 9.

9.8
2023-09-15 CVE-2023-4662 Saphira Improper Privilege Management vulnerability in Saphira Connect

Execution with Unnecessary Privileges vulnerability in Saphira Saphira Connect allows Remote Code Inclusion.This issue affects Saphira Connect: before 9.

9.8
2023-09-15 CVE-2023-4833 Besttem Network Marketing Project SQL Injection vulnerability in Besttem Network Marketing Project Besttem Network Marketing

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Besttem Network Marketing Software allows SQL Injection.This issue affects Network Marketing Software: before 1.0.2309.6.

9.8
2023-09-15 CVE-2023-4835 Petroleum Management Software Application Project SQL Injection vulnerability in Petroleum Management Software Application Project Petroleum Management Software Application

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in CF Software Oil Management Software allows SQL Injection.This issue affects Oil Management Software: before 20230912 .

9.8
2023-09-15 CVE-2023-4231 Cevik SQL Injection vulnerability in Cevik Informatics Online Payment System

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Cevik Informatics Online Payment System allows SQL Injection.This issue affects Online Payment System: before 4.09.

9.8
2023-09-15 CVE-2023-4670 Innosa Probbys Project SQL Injection vulnerability in Innosa Probbys Project Innosa Probbys

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Innosa Probbys allows SQL Injection.This issue affects Probbys: before 2.

9.8
2023-09-15 CVE-2023-4831 Weather SQL Injection vulnerability in Weather Ncode Ncep

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Ncode Ncep allows SQL Injection.This issue affects Ncep: before 20230914 .

9.8
2023-09-15 CVE-2023-36657 Opswat Improper Privilege Management vulnerability in Opswat Metadefender Kiosk

An issue was discovered in OPSWAT MetaDefender KIOSK 4.6.1.9996.

9.8
2023-09-15 CVE-2023-36659 Opswat Classic Buffer Overflow vulnerability in Opswat Metadefender Kiosk

An issue was discovered in OPSWAT MetaDefender KIOSK 4.6.1.9996.

9.8
2023-09-15 CVE-2023-4673 Sanalogi SQL Injection vulnerability in Sanalogi Turasistan

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Sanalogy Turasistan allows SQL Injection.This issue affects Turasistan: before 20230911 .

9.8
2023-09-15 CVE-2023-4830 Turaconsulting SQL Injection vulnerability in Turaconsulting Signalix 7T0228

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Tura Signalix allows SQL Injection.This issue affects Signalix: 7T_0228.

9.8
2023-09-15 CVE-2023-4974 Creativeitem SQL Injection vulnerability in Creativeitem Academy LMS 6.2

A vulnerability was found in Academy LMS 6.2.

9.8
2023-09-15 CVE-2023-39643 Blmodules SQL Injection vulnerability in Blmodules Xmlfeeds PRO 3.8.2

Bl Modules xmlfeeds before v3.9.8 was discovered to contain a SQL injection vulnerability via the component SearchApiXml::Xmlfeeds().

9.8
2023-09-15 CVE-2023-39639 Leotheme SQL Injection vulnerability in Leotheme Leoblog 3.0.0/3.0.6/3.1.2

LeoTheme leoblog up to v3.1.2 was discovered to contain a SQL injection vulnerability via the component LeoBlogBlog::getListBlogs.

9.8
2023-09-15 CVE-2023-39641 Activedesign SQL Injection vulnerability in Activedesign Full Affiliates

Active Design psaffiliate before v1.9.8 was discovered to contain a SQL injection vulnerability via the component PsaffiliateGetaffiliatesdetailsModuleFrontController::initContent().

9.8
2023-09-15 CVE-2023-39642 Carts Guru SQL Injection vulnerability in Carts.Guru Cartsguru

Carts Guru cartsguru up to v2.4.2 was discovered to contain a SQL injection vulnerability via the component CartsGuruCatalogModuleFrontController::display().

9.8
2023-09-14 CVE-2023-42405 Fit2Cloud SQL Injection vulnerability in Fit2Cloud Rackshift 1.7.1

SQL injection vulnerability in FIT2CLOUD RackShift v1.7.1 allows attackers to execute arbitrary code via the `sort` parameter to taskService.list(), bareMetalService.list(), and switchService.list().

9.8
2023-09-14 CVE-2023-39638 Dlink Command Injection vulnerability in Dlink Dir-859 A1 Firmware 1.05/1.06

D-LINK DIR-859 A1 1.05 and A1 1.06B01 Beta01 was discovered to contain a command injection vulnerability via the lxmldbc_system function at /htdocs/cgibin.

9.8
2023-09-14 CVE-2023-37756 I Doit Weak Password Requirements vulnerability in I-Doit

I-doit pro 25 and below and I-doit open 25 and below employ weak password requirements for Administrator account creation.

9.8
2023-09-14 CVE-2023-38912 Superstorefinder SQL Injection vulnerability in Superstorefinder PHP Script 3.6

SQL injection vulnerability in Super Store Finder PHP Script v.3.6 allows a remote attacker to execute arbitrary code via a crafted payload to the username parameter.

9.8
2023-09-14 CVE-2023-37755 I Doit Use of Hard-coded Credentials vulnerability in I-Doit

i-doit pro 25 and below and I-doit open 25 and below are configured with insecure default administrator credentials, and there is no warning or prompt to ask users to change the default password and account name.

9.8
2023-09-14 CVE-2023-4702 Yepas Authentication Bypass Using an Alternate Path or Channel vulnerability in Yepas Digital Yepas

Authentication Bypass Using an Alternate Path or Channel vulnerability in Yepas Digital Yepas allows Authentication Bypass.This issue affects Digital Yepas: before 1.0.1.

9.8
2023-09-14 CVE-2023-4972 Yepas Improper Privilege Management vulnerability in Yepas Digital Yepas

Improper Privilege Management vulnerability in Yepas Digital Yepas allows Collect Data as Provided by Users.This issue affects .

9.8
2023-09-14 CVE-2023-41011 Chinamobile Command Injection vulnerability in Chinamobile Intelligent Home Gateway Firmware Hg6543C4

Command Execution vulnerability in China Mobile Communications China Mobile Intelligent Home Gateway v.HG6543C4 allows a remote attacker to execute arbitrary code via the shortcut_telnet.cg component.

9.8
2023-09-14 CVE-2023-4669 Exagate Improper Authentication vulnerability in Exagate Sysguard 3001 Firmware

Authentication Bypass by Assumed-Immutable Data vulnerability in Exagate SYSGuard 3001 allows Authentication Bypass.This issue affects SYSGuard 3001: before 3.2.20.0.

9.8
2023-09-14 CVE-2023-4766 Movus SQL Injection vulnerability in Movus

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Movus allows SQL Injection.This issue affects Movus: before 20230913.

9.8
2023-09-14 CVE-2023-4832 Acekaholding SQL Injection vulnerability in Acekaholding Company Management

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Aceka Company Management allows SQL Injection.This issue affects Company Management: before 3072 .

9.8
2023-09-14 CVE-2023-30909 HP Unspecified vulnerability in HP Oneview

A remote authentication bypass issue exists in some OneView APIs.

9.8
2023-09-14 CVE-2023-38204 Adobe Deserialization of Untrusted Data vulnerability in Adobe Coldfusion 2018/2021/2023

Adobe ColdFusion versions 2018u18 (and earlier), 2021u8 (and earlier) and 2023u2 (and earlier) are affected by a Deserialization of Untrusted Data vulnerability that could result in Arbitrary code execution.

9.8
2023-09-13 CVE-2023-41892 Craftcms Code Injection vulnerability in Craftcms Craft CMS

Craft CMS is a platform for creating digital experiences.

9.8
2023-09-13 CVE-2023-3935 Wibu
Trumpf
Phoenixcontact
Out-of-bounds Write vulnerability in multiple products

A heap buffer overflow vulnerability in Wibu CodeMeter Runtime network service up to version 7.60b allows an unauthenticated, remote attacker to achieve RCE and gain full access of the host system.

9.8
2023-09-12 CVE-2023-39073 Voltronicpower Missing Authorization vulnerability in Voltronicpower Snmp web PRO 1.1

An issue in SNMP Web Pro v.1.1 allows a remote attacker to execute arbitrary code and obtain senstive information via a crafted request.

9.8
2023-09-12 CVE-2023-3710 Honeywell Command Injection vulnerability in Honeywell Pm43 Firmware

Improper Input Validation vulnerability in Honeywell PM43 on 32 bit, ARM (Printer web page modules) allows Command Injection.This issue affects PM43 versions prior to P10.19.050004. Update to the latest available firmware version of the respective printers to version MR19.5 (e.g.

9.8
2023-09-12 CVE-2023-41331 Sofastack Expression Language Injection vulnerability in Sofastack Sofarpc

SOFARPC is a Java RPC framework.

9.8
2023-09-12 CVE-2023-4501 Microfocus Improper Authentication vulnerability in Microfocus products

User authentication with username and password credentials is ineffective in OpenText (Micro Focus) Visual COBOL, COBOL Server, Enterprise Developer, and Enterprise Server (including product variants such as Enterprise Test Server), versions 7.0 patch updates 19 and 20, 8.0 patch updates 8 and 9, and 9.0 patch update 1, when LDAP-based authentication is used with certain configurations.

9.8
2023-09-12 CVE-2023-29332 Microsoft Improper Input Validation vulnerability in Microsoft Azure Kubernetes Service

Microsoft Azure Kubernetes Service Elevation of Privilege Vulnerability

9.8
2023-09-12 CVE-2023-36758 Microsoft Unspecified vulnerability in Microsoft Visual Studio 2022 17.7/17.7.4

Visual Studio Elevation of Privilege Vulnerability

9.8
2023-09-12 CVE-2023-36765 Microsoft Unspecified vulnerability in Microsoft Office 2019

Microsoft Office Elevation of Privilege Vulnerability

9.8
2023-09-12 CVE-2023-40784 Dedecms Unrestricted Upload of File with Dangerous Type vulnerability in Dedecms 5.7.102

DedeCMS 5.7.102 has a File Upload vulnerability via uploads/dede/module_make.php.

9.8
2023-09-12 CVE-2023-2071 Rockwellautomation Unrestricted Upload of File with Dangerous Type vulnerability in Rockwellautomation Factorytalk View

Rockwell Automation FactoryTalk View Machine Edition on the PanelView Plus, improperly verifies user’s input, which allows unauthenticated attacker to achieve remote code executed via crafted malicious packets.

9.8
2023-09-12 CVE-2023-40834 Opencart Improper Restriction of Excessive Authentication Attempts vulnerability in Opencart 4.0.2.2

OpenCart CMS v4.0.2.2 was discovered to lack a protective mechanism on its login page against excessive login attempts, allowing unauthenticated attackers to gain access to the application via a brute force attack to the password parameter.

9.8
2023-09-12 CVE-2023-39150 Maximus5 Unspecified vulnerability in Maximus5 Conemu

ConEmu before commit 230724 does not sanitize title responses correctly for control characters, potentially leading to arbitrary code execution.

9.8
2023-09-12 CVE-2023-39637 Dlink Command Injection vulnerability in Dlink Dir-816 Firmware 1.10B05

D-Link DIR-816 A2 1.10 B05 was discovered to contain a command injection vulnerability via the component /goform/Diagnosis.

9.8
2023-09-12 CVE-2023-40309 SAP Missing Authorization vulnerability in SAP products

SAP CommonCryptoLib does not perform necessary authentication checks, which may result in missing or wrong authorization checks for an authenticated user, resulting in escalation of privileges.

9.8
2023-09-11 CVE-2023-39069 Strangebee Improper Authentication vulnerability in Strangebee Cortex and Thehive

An issue in StrangeBee TheHive v.5.0.8, v.4.1.21 and Cortex v.3.1.6 allows a remote attacker to gain privileges via Active Directory authentication mechanism.

9.8
2023-09-11 CVE-2023-35681 Google Integer Overflow or Wraparound vulnerability in Google Android 13.0

In eatt_l2cap_reconfig_completed of eatt_impl.h, there is a possible out of bounds write due to an integer overflow.

9.8
2023-09-11 CVE-2023-4897 Mintplexlabs Relative Path Traversal vulnerability in Mintplexlabs Anythingllm

Relative Path Traversal in GitHub repository mintplex-labs/anything-llm prior to 0.0.1.

9.8
2023-09-11 CVE-2023-40150 Softneta Exposed Dangerous Method or Function vulnerability in Softneta Meddream Pacs

Softneta MedDream PACS does not perform an authentication check and performs some dangerous functionality, which could result in unauthenticated remote code execution.0

9.8
2023-09-11 CVE-2023-40944 Schoolmate Project SQL Injection vulnerability in Schoolmate Project Schoolmate 1.3

Schoolmate 1.3 is vulnerable to SQL Injection in the variable $schoolname from Database at ~\header.php.

9.8
2023-09-11 CVE-2023-40945 Doctor Appointment System Project SQL Injection vulnerability in Doctor Appointment System Project Doctor Appointment System 1.0

Sourcecodester Doctor Appointment System 1.0 is vulnerable to SQL Injection in the variable $userid at doctors\myDetails.php.

9.8
2023-09-11 CVE-2023-40946 Schoolmate Project SQL Injection vulnerability in Schoolmate Project Schoolmate 1.3

Schoolmate 1.3 is vulnerable to SQL Injection in the variable $username from SESSION in ValidateLogin.php.

9.8
2023-09-11 CVE-2020-19319 Dlink Classic Buffer Overflow vulnerability in Dlink Dir-619L Firmware 2.06

Buffer overflow vulnerability in DLINK 619L version B 2.06beta via the FILECODE parameter on login.

9.8
2023-09-11 CVE-2020-19320 Dlink Classic Buffer Overflow vulnerability in Dlink Dir-619L Firmware 2.06

Buffer overflow vulnerability in DLINK 619L version B 2.06beta via the curTime parameter on login.

9.8
2023-09-11 CVE-2020-19559 Dieboldnixdorf Deserialization of Untrusted Data vulnerability in Dieboldnixdorf Agilis XFS for Opteva 4.1.61.1

An issue in Diebold Aglis XFS for Opteva v.4.1.61.1 allows a remote attacker to execute arbitrary code via a crafted payload to the ResolveMethod() parameter.

9.8
2023-09-11 CVE-2023-31067 Tsplus Incorrect Default Permissions vulnerability in Tsplus Remote Access

An issue was discovered in TSplus Remote Access through 16.0.2.14.

9.8
2023-09-11 CVE-2023-31068 Tsplus Incorrect Default Permissions vulnerability in Tsplus Remote Access

An issue was discovered in TSplus Remote Access through 16.0.2.14.

9.8
2023-09-11 CVE-2023-31069 Tsplus Cleartext Storage of Sensitive Information vulnerability in Tsplus Remote Access 16.0.0.0

An issue was discovered in TSplus Remote Access through 16.0.2.14.

9.8
2023-09-11 CVE-2023-30058 Xxyopen SQL Injection vulnerability in Xxyopen Novel-Plus 3.6.2

novel-plus 3.6.2 is vulnerable to SQL Injection.

9.8
2023-09-11 CVE-2023-36140 Phpjabbers Missing Authorization vulnerability in PHPjabbers Cleaning Business Software 1.0

In PHPJabbers Cleaning Business Software 1.0, there is no encryption on user passwords allowing an attacker to gain access to all user accounts.

9.8
2023-09-11 CVE-2023-42470 Imoulife Code Injection vulnerability in Imoulife Life

The Imou Life com.mm.android.smartlifeiot application through 6.8.0 for Android allows Remote Code Execution via a crafted intent to an exported component.

9.8
2023-09-11 CVE-2023-42471 Wave AI Code Injection vulnerability in Wave-Ai Wave

The wave.ai.browser application through 1.0.35 for Android allows a remote attacker to execute arbitrary JavaScript code via a crafted intent.

9.8
2023-09-11 CVE-2023-40039 Arris Unspecified vulnerability in Arris Tg1672G Firmware, Tg852G Firmware and Tg862G Firmware

An issue was discovered on ARRIS TG852G, TG862G, and TG1672G devices.

9.8
2023-09-15 CVE-2023-36735 Microsoft Unspecified vulnerability in Microsoft Edge Chromium

Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability

9.6
2023-09-11 CVE-2023-41256 Doverfuelingsolutions Authentication Bypass Using an Alternate Path or Channel vulnerability in Doverfuelingsolutions Maglink LX web Console Configuration

Dover Fueling Solutions MAGLINK LX Web Console Configuration versions 2.5.1, 2.5.2, 2.5.3, 2.6.1, 2.11, 3.0, 3.2, and 3.3 are vulnerable to authentication bypass that could allow an unauthorized attacker to obtain user access.

9.1
2023-09-16 CVE-2023-39612 Filebrowser Cross-site Scripting vulnerability in Filebrowser

A cross-site scripting (XSS) vulnerability in FileBrowser before v2.23.0 allows an authenticated attacker to escalate privileges to Administrator via user interaction with a crafted HTML file or URL.

9.0

198 High Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2023-09-17 CVE-2023-5029 Chshcms SQL Injection vulnerability in Chshcms Mccms 2.6

A vulnerability, which was classified as critical, was found in mccms 2.6.

8.8
2023-09-17 CVE-2023-5030 Tongda2000 SQL Injection vulnerability in Tongda2000 Tongda Office Anywhere

A vulnerability has been found in Tongda OA up to 11.10 and classified as critical.

8.8
2023-09-17 CVE-2023-5023 Tongda2000 SQL Injection vulnerability in Tongda2000 Tongda Office Anywhere 2017

A vulnerability was found in Tongda OA 2017 and classified as critical.

8.8
2023-09-17 CVE-2023-5022 Dedecms Absolute Path Traversal vulnerability in Dedecms

A vulnerability has been found in DedeCMS up to 5.7.100 and classified as critical.

8.8
2023-09-15 CVE-2023-42270 Grocy Project Cross-Site Request Forgery (CSRF) vulnerability in Grocy Project Grocy

Grocy <= 4.0.2 is vulnerable to Cross Site Request Forgery (CSRF).

8.8
2023-09-15 CVE-2023-4664 Saphira Incorrect Default Permissions vulnerability in Saphira Connect

Incorrect Default Permissions vulnerability in Saphira Saphira Connect allows Privilege Escalation.This issue affects Saphira Connect: before 9.

8.8
2023-09-15 CVE-2023-4665 Saphira Incorrect Permission Assignment for Critical Resource vulnerability in Saphira Connect

Incorrect Execution-Assigned Permissions vulnerability in Saphira Saphira Connect allows Privilege Escalation.This issue affects Saphira Connect: before 9.

8.8
2023-09-15 CVE-2023-40955 Didotech SQL Injection vulnerability in Didotech Engineering & Lifecycle Management

A SQL injection vulnerability in Didotech srl Engineering & Lifecycle Management (aka pdm) v.14.0, v.15.0 and v.16.0 fixed in pdm-14.0.1.0.0, pdm-15.0.1.0.0, and pdm-16.0.1.0.0 allows a remote authenticated attacker to execute arbitrary code via the select parameter in models/base_client.py component.

8.8
2023-09-15 CVE-2023-40956 Cloudroits SQL Injection vulnerability in Cloudroits Wesite JOB Search 15.0

A SQL injection vulnerability in Cloudroits Website Job Search v.15.0 allows a remote authenticated attacker to execute arbitrary code via the name parameter in controllers/main.py component.

8.8
2023-09-15 CVE-2023-40957 Didotech SQL Injection vulnerability in Didotech Engineering & Lifecycle Management

A SQL injection vulnerability in Didotech srl Engineering & Lifecycle Management (aka pdm) v.14.0, v.15.0 and v.16.0 fixed in pdm-14.0.1.0.0, pdm-15.0.1.0.0, and pdm-16.0.1.0.0 allows a remote authenticated attacker to execute arbitrary code via the request parameter in models/base_client.py component.

8.8
2023-09-15 CVE-2023-40958 Didotech SQL Injection vulnerability in Didotech Engineering & Lifecycle Management

A SQL injection vulnerability in Didotech srl Engineering & Lifecycle Management (aka pdm) v.14.0, v.15.0 and v.16.0 fixed in pdm-14.0.1.0.0, pdm-15.0.1.0.0, and pdm-16.0.1.0.0 allows a remote authenticated attacker to execute arbitrary code via the query parameter in models/base_client.py component.

8.8
2023-09-14 CVE-2023-38891 Vtiger SQL Injection vulnerability in Vtiger CRM 7.5.0

SQL injection vulnerability in Vtiger CRM v.7.5.0 allows a remote authenticated attacker to escalate privileges via the getQueryColumnsList function in ReportRun.php.

8.8
2023-09-14 CVE-2023-40868 Moosocial Cross-Site Request Forgery (CSRF) vulnerability in Moosocial

Cross Site Request Forgery vulnerability in mooSocial MooSocial Software v.Demo allows a remote attacker to execute arbitrary code via the Delete Account and Deactivate functions.

8.8
2023-09-14 CVE-2023-42180 Lenosp Project Unrestricted Upload of File with Dangerous Type vulnerability in Lenosp Project Lenosp

An arbitrary file upload vulnerability in the /user/upload component of lenosp 1.0-1.2.0 allows attackers to execute html code via a crafted JPG file.

8.8
2023-09-14 CVE-2023-2848 Movim Origin Validation Error vulnerability in Movim

Movim prior to version 0.22 is affected by a Cross-Site WebSocket Hijacking vulnerability.

8.8
2023-09-13 CVE-2022-35849 Fortinet OS Command Injection vulnerability in Fortinet Fortiadc

An improper neutralization of special elements used in an OS command vulnerability [CWE-78] in the management interface of FortiADC 7.1.0 through 7.1.1, 7.0.0 through 7.0.3, 6.2.0 through 6.2.5 and 6.1.0 all versions may allow an authenticated attacker to execute unauthorized commands via specifically crafted arguments to existing commands.

8.8
2023-09-13 CVE-2023-34984 Fortinet Unspecified vulnerability in Fortinet Fortiweb

A protection mechanism failure in Fortinet FortiWeb 7.2.0 through 7.2.1, 7.0.0 through 7.0.6, 6.4.0 through 6.4.3, 6.3.6 through 6.3.23 allows attacker to execute unauthorized code or commands via specially crafted HTTP requests.

8.8
2023-09-13 CVE-2023-36634 Fortinet Unspecified vulnerability in Fortinet Fortiap-U

An incomplete filtering of one or more instances of special elements vulnerability [CWE-792] in the command line interpreter of FortiAP-U 7.0.0, 6.2.0 through 6.2.5, 6.0 all versions, 5.4 all versions may allow an authenticated attacker to list and delete arbitrary files and directory via specially crafted command arguments.

8.8
2023-09-13 CVE-2023-4153 Webmedia Unspecified vulnerability in Webmedia BAN Users

The BAN Users plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 1.5.3 due to a missing capability check on the 'w3dev_save_ban_user_settings_callback' function.

8.8
2023-09-13 CVE-2023-4213 Mikevanwinkle Authorization Bypass Through User-Controlled Key vulnerability in Mikevanwinkle Simplr Registration Form Plus+

The Simplr Registration Form Plus+ plugin for WordPress is vulnerable to Insecure Direct Object References in versions up to, and including, 2.4.5.

8.8
2023-09-13 CVE-2023-4916 Idehweb Unspecified vulnerability in Idehweb Login With Phone Number

The Login with phone number plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.5.6.

8.8
2023-09-12 CVE-2023-3711 Honeywell Session Fixation vulnerability in Honeywell Pm43 Firmware

Session Fixation vulnerability in Honeywell PM43 on 32 bit, ARM (Printer web page modules) allows Session Credential Falsification through Prediction.This issue affects PM43 versions prior to P10.19.050004. Update to the latest available firmware version of the respective printers to version MR19.5 (e.g.

8.8
2023-09-12 CVE-2023-4918 Redhat Cleartext Transmission of Sensitive Information vulnerability in Redhat Keycloak 22.0.2

A flaw was found in the Keycloak package, more specifically org.keycloak.userprofile.

8.8
2023-09-12 CVE-2023-33136 Microsoft Unspecified vulnerability in Microsoft Azure Devops Server

Azure DevOps Server Remote Code Execution Vulnerability

8.8
2023-09-12 CVE-2023-36764 Microsoft Unspecified vulnerability in Microsoft Sharepoint Server 2016/2019

Microsoft SharePoint Server Elevation of Privilege Vulnerability

8.8
2023-09-12 CVE-2023-38146 Microsoft Unspecified vulnerability in Microsoft Windows 11 22H2

Windows Themes Remote Code Execution Vulnerability

8.8
2023-09-12 CVE-2023-38147 Microsoft Unspecified vulnerability in Microsoft products

Windows Miracast Wireless Display Remote Code Execution Vulnerability

8.8
2023-09-12 CVE-2023-38148 Microsoft Unspecified vulnerability in Microsoft products

Internet Connection Sharing (ICS) Remote Code Execution Vulnerability

8.8
2023-09-12 CVE-2023-4863 Google
Fedoraproject
Debian
Mozilla
Microsoft
Webmproject
Netapp
Bentley
Out-of-bounds Write vulnerability in multiple products

Heap buffer overflow in libwebp in Google Chrome prior to 116.0.5845.187 and libwebp 1.3.2 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page.

8.8
2023-09-12 CVE-2023-40726 Siemens Information Exposure Through Server Error Message vulnerability in Siemens QMS Automotive 12.30

A vulnerability has been identified in QMS Automotive (All versions < V12.39).

8.8
2023-09-12 CVE-2023-40730 Siemens Improper Access Control vulnerability in Siemens QMS Automotive 12.30

A vulnerability has been identified in QMS Automotive (All versions < V12.39).

8.8
2023-09-12 CVE-2023-40731 Siemens Unrestricted Upload of File with Dangerous Type vulnerability in Siemens QMS Automotive 12.30

A vulnerability has been identified in QMS Automotive (All versions < V12.39).

8.8
2023-09-12 CVE-2023-4759 Eclipse Improper Handling of Case Sensitivity vulnerability in Eclipse Jgit

Arbitrary File Overwrite in Eclipse JGit <= 6.6.0 In Eclipse JGit, all versions <= 6.6.0.202305301015-r, a symbolic link present in a specially crafted git repository can be used to write a file to locations outside the working tree when this repository is cloned with JGit to a case-insensitive filesystem, or when a checkout from a clone of such a repository is performed on a case-insensitive filesystem. This can happen on checkout (DirCacheCheckout), merge (ResolveMerger via its WorkingTreeUpdater), pull (PullCommand using merge), and when applying a patch (PatchApplier).

8.8
2023-09-12 CVE-2023-37878 Wftpserver Incorrect Default Permissions vulnerability in Wftpserver Wing FTP Server

Insecure default permissions in Wing FTP Server (Admin Web Client) allows for privilege escalation.This issue affects Wing FTP Server: <= 7.2.0.

8.8
2023-09-12 CVE-2023-37881 Wftpserver Incorrect Authorization vulnerability in Wftpserver Wing FTP Server

Weak access control in Wing FTP Server (Admin Web Client) allows for privilege escalation.This issue affects Wing FTP Server: <= 7.2.0.

8.8
2023-09-12 CVE-2022-48475 CBM Classic Buffer Overflow vulnerability in CBM Control DE Ciber 1.650

Buffer Overflow vulnerability in Control de Ciber version 1.650, in the printing function.

8.8
2023-09-12 CVE-2023-4899 Mintplexlabs SQL Injection vulnerability in Mintplexlabs Anything-Llm

SQL Injection in GitHub repository mintplex-labs/anything-llm prior to 0.0.1.

8.8
2023-09-11 CVE-2022-1415 Redhat Deserialization of Untrusted Data vulnerability in Redhat products

A flaw was found where some utility classes in Drools core did not use proper safeguards when deserializing data.

8.8
2023-09-11 CVE-2023-35658 Google Use After Free vulnerability in Google Android

In gatt_process_prep_write_rsp of gatt_cl.cc, there is a possible privilege escalation due to a use after free.

8.8
2023-09-11 CVE-2023-35673 Google Integer Overflow or Wraparound vulnerability in Google Android

In build_read_multi_rsp of gatt_sr.cc, there is a possible out of bounds write due to an integer overflow.

8.8
2023-09-11 CVE-2023-35684 Google Out-of-bounds Write vulnerability in Google Android

In avdt_msg_asmbl of avdt_msg.cc, there is a possible out of bounds write due to an integer overflow.

8.8
2023-09-11 CVE-2023-36497 Doverfuelingsolutions Improper Access Control vulnerability in Doverfuelingsolutions Maglink LX web Console Configuration

Dover Fueling Solutions MAGLINK LX Web Console Configuration versions 2.5.1, 2.5.2, 2.5.3, 2.6.1, 2.11, 3.0, 3.2, and 3.3 could allow a guest user to elevate to admin privileges.

8.8
2023-09-11 CVE-2023-38829 Netis Systems Command Injection vulnerability in Netis-Systems Wf2409E Firmware 3.6.42541

An issue in NETIS SYSTEMS WF2409E v.3.6.42541 allows a remote attacker to execute arbitrary code via the ping and traceroute functions of the diagnostic tools component in the admin management interface.

8.8
2023-09-11 CVE-2023-39780 Asus Command Injection vulnerability in Asus Rt-Ax55 Firmware 3.0.0.4.386.51598

ASUS RT-AX55 v3.0.0.4.386.51598 was discovered to contain an authenticated command injection vulnerability.

8.8
2023-09-11 CVE-2020-19318 Dlink Out-of-bounds Write vulnerability in Dlink Dir-605L Firmware 1.00/1.13/1.17B01

Buffer Overflow vulnerability in D-Link DIR-605L, hardware version AX, firmware version 1.17beta and below, allows authorized attackers execute arbitrary code via sending crafted data to the webserver service program.

8.8
2023-09-11 CVE-2023-3612 Govee Unspecified vulnerability in Govee Home

Govee Home app has unprotected access to WebView component which can be opened by any app on the device.

8.8
2023-09-11 CVE-2023-4582 Mozilla Classic Buffer Overflow vulnerability in Mozilla Firefox

Due to large allocation checks in Angle for glsl shaders being too lenient a buffer overflow could have occured when allocating too much private shader memory on mac OS.

8.8
2023-09-11 CVE-2023-4584 Mozilla Out-of-bounds Write vulnerability in Mozilla Thunderbird

Memory safety bugs present in Firefox 116, Firefox ESR 102.14, Firefox ESR 115.1, Thunderbird 102.14, and Thunderbird 115.1.

8.8
2023-09-11 CVE-2023-4585 Mozilla Out-of-bounds Write vulnerability in Mozilla Thunderbird

Memory safety bugs present in Firefox 116, Firefox ESR 115.1, and Thunderbird 115.1.

8.8
2023-09-11 CVE-2023-4816 Hitachienergy Improper Authentication vulnerability in Hitachienergy Asset Suite

A vulnerability exists in the Equipment Tag Out authentication, when configured with Single Sign-On (SSO) with password validation in T214.

8.8
2023-09-11 CVE-2023-4576 Mozilla Integer Overflow or Wraparound vulnerability in Mozilla Firefox

On Windows, an integer overflow could occur in `RecordedSourceSurfaceCreation` which resulted in a heap buffer overflow potentially leaking sensitive data that could have led to a sandbox escape. *This bug only affects Firefox on Windows.

8.6
2023-09-13 CVE-2023-2680 Qemu
Redhat
Use After Free vulnerability in multiple products

This CVE exists because of an incomplete fix for CVE-2021-3750.

8.2
2023-09-12 CVE-2023-38155 Microsoft Unspecified vulnerability in Microsoft Azure Devops Server

Azure DevOps Server Remote Code Execution Vulnerability

8.1
2023-09-11 CVE-2022-23382 Hichip Unspecified vulnerability in Hichip Shenzhen Hichip Vision Technology Firmware 11.4.8.1.120170926

Shenzhen Hichip Vision Technology IP Camera Firmware V11.4.8.1.1-20170926 has a denial of service vulnerability through sending a crafted multicast message in a local network.

8.1
2023-09-15 CVE-2023-4987 Infinitietech SQL Injection vulnerability in Infinitietech Taskhub 2.8.7

A vulnerability, which was classified as critical, has been found in infinitietech taskhub 2.8.7.

8.0
2023-09-12 CVE-2023-36744 Microsoft Unspecified vulnerability in Microsoft Exchange Server 2016/2019

Microsoft Exchange Server Remote Code Execution Vulnerability

8.0
2023-09-12 CVE-2023-36745 Microsoft Unspecified vulnerability in Microsoft Exchange Server 2016/2019

Microsoft Exchange Server Remote Code Execution Vulnerability

8.0
2023-09-12 CVE-2023-36756 Microsoft Unspecified vulnerability in Microsoft Exchange Server 2016/2019

Microsoft Exchange Server Remote Code Execution Vulnerability

8.0
2023-09-12 CVE-2023-36757 Microsoft Unspecified vulnerability in Microsoft Exchange Server 2016/2019

Microsoft Exchange Server Spoofing Vulnerability

8.0
2023-09-16 CVE-2023-5012 Topazevolution Unquoted Search Path or Element vulnerability in Topazevolution OFD 2.11.0.201

A vulnerability, which was classified as problematic, was found in Topaz OFD 2.11.0.201.

7.8
2023-09-15 CVE-2023-4991 Quescom Unquoted Search Path or Element vulnerability in Quescom Nextbx Qwalerter 4.50

A vulnerability was found in NextBX QWAlerter 4.50.

7.8
2023-09-15 CVE-2023-4985 Supcon Improper Authentication vulnerability in Supcon Inplant Scada 20230901

A vulnerability classified as critical has been found in Supcon InPlant SCADA up to 20230901.

7.8
2023-09-15 CVE-2023-36658 Opswat Unquoted Search Path or Element vulnerability in Opswat Media Validation Agent and Metadefender Kiosk

An issue was discovered in OPSWAT MetaDefender KIOSK 4.6.1.9996.

7.8
2023-09-14 CVE-2022-47631 Razer Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in Razer Synapse

Razer Synapse through 3.7.1209.121307 allows privilege escalation due to an unsafe installation path and improper privilege management.

7.8
2023-09-14 CVE-2023-32643 Gnome Out-of-bounds Write vulnerability in Gnome Glib

A flaw was found in GLib.

7.8
2023-09-14 CVE-2023-36250 Gnome Injection vulnerability in Gnome Gnome-Time Tracker 3.0.2

CSV Injection vulnerability in GNOME time tracker version 3.0.2, allows local attackers to execute arbitrary code via crafted .tsv file when creating a new record.

7.8
2023-09-14 CVE-2023-38557 Siemens Incorrect Permission Assignment for Critical Resource vulnerability in Siemens Spectrum Power 7 2.20/2.30

A vulnerability has been identified in Spectrum Power 7 (All versions < V23Q3).

7.8
2023-09-14 CVE-2023-4516 Schneider Electric Missing Authentication for Critical Function vulnerability in Schneider-Electric Interactive Graphical Scada System

A CWE-306: Missing Authentication for Critical Function vulnerability exists in the IGSS Update Service that could allow a local attacker to change update source, potentially leading to remote code execution when the attacker force an update containing malicious content.

7.8
2023-09-14 CVE-2023-41267 Apache Inclusion of Functionality from Untrusted Control Sphere vulnerability in Apache Airflow Hdfs Provider

In the Apache Airflow HDFS Provider, versions prior to 4.1.1, a documentation info pointed users to an install incorrect pip package.

7.8
2023-09-13 CVE-2023-20236 Cisco Insufficient Verification of Data Authenticity vulnerability in Cisco IOS XR

A vulnerability in the iPXE boot function of Cisco IOS XR software could allow an authenticated, local attacker to install an unverified software image on an affected device. This vulnerability is due to insufficient image verification.

7.8
2023-09-13 CVE-2023-36642 Fortinet OS Command Injection vulnerability in Fortinet Fortitester

An improper neutralization of special elements used in an OS command vulnerability [CWE-78] in the management interface of FortiTester 3.0.0 through 7.2.3 may allow an authenticated attacker to execute unauthorized commands via specifically crafted arguments to existing commands.

7.8
2023-09-13 CVE-2023-40717 Fortinet Use of Hard-coded Credentials vulnerability in Fortinet Fortitester

A use of hard-coded credentials vulnerability [CWE-798] in FortiTester 2.3.0 through 7.2.3 may allow an attacker who managed to get a shell on the device to access the database via shell commands.

7.8
2023-09-13 CVE-2023-26369 Adobe Out-of-bounds Write vulnerability in Adobe products

Acrobat Reader versions 23.003.20284 (and earlier), 20.005.30516 (and earlier) and 20.005.30514 (and earlier) are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user.

7.8
2023-09-12 CVE-2023-3712 Honeywell Files or Directories Accessible to External Parties vulnerability in Honeywell Pm43 Firmware

Files or Directories Accessible to External Parties vulnerability in Honeywell PM43 on 32 bit, ARM (Printer web page modules) allows Privilege Escalation.This issue affects PM43 versions prior to P10.19.050004.  Update to the latest available firmware version of the respective printers to version MR19.5 (e.g.

7.8
2023-09-12 CVE-2023-4921 Linux
Debian
Use After Free vulnerability in multiple products

A use-after-free vulnerability in the Linux kernel's net/sched: sch_qfq component can be exploited to achieve local privilege escalation. When the plug qdisc is used as a class of the qfq qdisc, sending network packets triggers use-after-free in qfq_dequeue() due to the incorrect .peek handler of sch_plug and lack of error checking in agg_dequeue(). We recommend upgrading past commit 8fc134fee27f2263988ae38920bc03da416b03d8.

7.8
2023-09-12 CVE-2023-35355 Microsoft Unspecified vulnerability in Microsoft products

Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability

7.8
2023-09-12 CVE-2023-36739 Microsoft Unspecified vulnerability in Microsoft 3D Viewer 7.2107.7012.0/7.2306.12012.0

3D Viewer Remote Code Execution Vulnerability

7.8
2023-09-12 CVE-2023-36740 Microsoft Unspecified vulnerability in Microsoft 3D Viewer 7.2107.7012.0

3D Viewer Remote Code Execution Vulnerability

7.8
2023-09-12 CVE-2023-36742 Microsoft Unspecified vulnerability in Microsoft Visual Studio Code

Visual Studio Code Remote Code Execution Vulnerability

7.8
2023-09-12 CVE-2023-36760 Microsoft Unspecified vulnerability in Microsoft 3D Viewer 7.2107.7012.0/7.2306.12012.0

3D Viewer Remote Code Execution Vulnerability

7.8
2023-09-12 CVE-2023-36770 Microsoft Unspecified vulnerability in Microsoft 3D Builder 20.0.1

3D Builder Remote Code Execution Vulnerability

7.8
2023-09-12 CVE-2023-36771 Microsoft Unspecified vulnerability in Microsoft 3D Builder 20.0.1

3D Builder Remote Code Execution Vulnerability

7.8
2023-09-12 CVE-2023-36772 Microsoft Unspecified vulnerability in Microsoft 3D Builder 20.0.1

3D Builder Remote Code Execution Vulnerability

7.8
2023-09-12 CVE-2023-36773 Microsoft Unspecified vulnerability in Microsoft 3D Builder 20.0.1

3D Builder Remote Code Execution Vulnerability

7.8
2023-09-12 CVE-2023-36788 Microsoft Unspecified vulnerability in Microsoft .Net Framework

.NET Framework Remote Code Execution Vulnerability

7.8
2023-09-12 CVE-2023-36792 Microsoft Unspecified vulnerability in Microsoft products

Visual Studio Remote Code Execution Vulnerability

7.8
2023-09-12 CVE-2023-36793 Microsoft Unspecified vulnerability in Microsoft products

Visual Studio Remote Code Execution Vulnerability

7.8
2023-09-12 CVE-2023-36794 Microsoft Unspecified vulnerability in Microsoft products

Visual Studio Remote Code Execution Vulnerability

7.8
2023-09-12 CVE-2023-36796 Microsoft Unspecified vulnerability in Microsoft products

Visual Studio Remote Code Execution Vulnerability

7.8
2023-09-12 CVE-2023-36802 Microsoft Unspecified vulnerability in Microsoft products

Microsoft Streaming Service Proxy Elevation of Privilege Vulnerability

7.8
2023-09-12 CVE-2023-36804 Microsoft Unspecified vulnerability in Microsoft products

Windows GDI Elevation of Privilege Vulnerability

7.8
2023-09-12 CVE-2023-38139 Microsoft Unspecified vulnerability in Microsoft products

Windows Kernel Elevation of Privilege Vulnerability

7.8
2023-09-12 CVE-2023-38141 Microsoft Unspecified vulnerability in Microsoft products

Windows Kernel Elevation of Privilege Vulnerability

7.8
2023-09-12 CVE-2023-38142 Microsoft Unspecified vulnerability in Microsoft products

Windows Kernel Elevation of Privilege Vulnerability

7.8
2023-09-12 CVE-2023-38143 Microsoft Unspecified vulnerability in Microsoft products

Windows Common Log File System Driver Elevation of Privilege Vulnerability

7.8
2023-09-12 CVE-2023-38144 Microsoft Unspecified vulnerability in Microsoft products

Windows Common Log File System Driver Elevation of Privilege Vulnerability

7.8
2023-09-12 CVE-2023-38150 Microsoft Unspecified vulnerability in Microsoft Windows 11 22H2

Windows Kernel Elevation of Privilege Vulnerability

7.8
2023-09-12 CVE-2023-38161 Microsoft Unspecified vulnerability in Microsoft products

Windows GDI Elevation of Privilege Vulnerability

7.8
2023-09-12 CVE-2023-38163 Microsoft Unspecified vulnerability in Microsoft Windows Defender Security Intelligence Updates

Windows Defender Attack Surface Reduction Security Feature Bypass

7.8
2023-09-12 CVE-2023-34470 AMI Unspecified vulnerability in AMI Aptio V

AMI AptioV contains a vulnerability in BIOS where an Attacker may use an improper access control via the local network.

7.8
2023-09-12 CVE-2023-38070 Siemens Out-of-bounds Write vulnerability in Siemens products

A vulnerability has been identified in JT2Go (All versions < V14.3.0.1), Teamcenter Visualization V13.3 (All versions < V13.3.0.12), Teamcenter Visualization V14.0 (All versions), Teamcenter Visualization V14.1 (All versions < V14.1.0.11), Teamcenter Visualization V14.2 (All versions < V14.2.0.6), Teamcenter Visualization V14.3 (All versions < V14.3.0.1), Tecnomatix Plant Simulation V2201 (All versions < V2201.0010), Tecnomatix Plant Simulation V2302 (All versions < V2302.0004).

7.8
2023-09-12 CVE-2023-38071 Siemens Out-of-bounds Write vulnerability in Siemens products

A vulnerability has been identified in JT2Go (All versions < V14.3.0.1), Teamcenter Visualization V13.3 (All versions < V13.3.0.12), Teamcenter Visualization V14.0 (All versions), Teamcenter Visualization V14.1 (All versions < V14.1.0.11), Teamcenter Visualization V14.2 (All versions < V14.2.0.6), Teamcenter Visualization V14.3 (All versions < V14.3.0.1), Tecnomatix Plant Simulation V2201 (All versions < V2201.0010), Tecnomatix Plant Simulation V2302 (All versions < V2302.0004).

7.8
2023-09-12 CVE-2023-38072 Siemens Out-of-bounds Write vulnerability in Siemens products

A vulnerability has been identified in JT2Go (All versions < V14.3.0.1), Teamcenter Visualization V13.3 (All versions < V13.3.0.12), Teamcenter Visualization V14.0 (All versions), Teamcenter Visualization V14.1 (All versions < V14.1.0.11), Teamcenter Visualization V14.2 (All versions < V14.2.0.6), Teamcenter Visualization V14.3 (All versions < V14.3.0.1), Tecnomatix Plant Simulation V2201 (All versions < V2201.0010), Tecnomatix Plant Simulation V2302 (All versions < V2302.0004).

7.8
2023-09-12 CVE-2023-38073 Siemens Type Confusion vulnerability in Siemens products

A vulnerability has been identified in JT2Go (All versions < V14.3.0.1), Teamcenter Visualization V13.3 (All versions < V13.3.0.12), Teamcenter Visualization V14.0 (All versions), Teamcenter Visualization V14.1 (All versions < V14.1.0.11), Teamcenter Visualization V14.2 (All versions < V14.2.0.6), Teamcenter Visualization V14.3 (All versions < V14.3.0.1), Tecnomatix Plant Simulation V2201 (All versions < V2201.0010), Tecnomatix Plant Simulation V2302 (All versions < V2302.0004).

7.8
2023-09-12 CVE-2023-38074 Siemens Type Confusion vulnerability in Siemens products

A vulnerability has been identified in JT2Go (All versions < V14.3.0.1), Teamcenter Visualization V13.3 (All versions < V13.3.0.12), Teamcenter Visualization V14.0 (All versions), Teamcenter Visualization V14.1 (All versions < V14.1.0.11), Teamcenter Visualization V14.2 (All versions < V14.2.0.6), Teamcenter Visualization V14.3 (All versions < V14.3.0.1), Tecnomatix Plant Simulation V2201 (All versions < V2201.0010), Tecnomatix Plant Simulation V2302 (All versions < V2302.0004).

7.8
2023-09-12 CVE-2023-38075 Siemens Use After Free vulnerability in Siemens products

A vulnerability has been identified in JT2Go (All versions < V14.3.0.1), Teamcenter Visualization V13.3 (All versions < V13.3.0.12), Teamcenter Visualization V14.0 (All versions), Teamcenter Visualization V14.1 (All versions < V14.1.0.11), Teamcenter Visualization V14.2 (All versions < V14.2.0.6), Teamcenter Visualization V14.3 (All versions < V14.3.0.1), Tecnomatix Plant Simulation V2201 (All versions < V2201.0010), Tecnomatix Plant Simulation V2302 (All versions < V2302.0004).

7.8
2023-09-12 CVE-2023-38076 Siemens Out-of-bounds Write vulnerability in Siemens products

A vulnerability has been identified in JT2Go (All versions < V14.3.0.1), Teamcenter Visualization V13.3 (All versions < V13.3.0.12), Teamcenter Visualization V14.0 (All versions), Teamcenter Visualization V14.1 (All versions < V14.1.0.11), Teamcenter Visualization V14.2 (All versions < V14.2.0.6), Teamcenter Visualization V14.3 (All versions < V14.3.0.1), Tecnomatix Plant Simulation V2201 (All versions < V2201.0010), Tecnomatix Plant Simulation V2302 (All versions < V2302.0004).

7.8
2023-09-12 CVE-2023-40727 Siemens Improper Verification of Cryptographic Signature vulnerability in Siemens QMS Automotive 12.30

A vulnerability has been identified in QMS Automotive (All versions < V12.39).

7.8
2023-09-12 CVE-2023-40728 Siemens Insecure Storage of Sensitive Information vulnerability in Siemens QMS Automotive 12.30

A vulnerability has been identified in QMS Automotive (All versions < V12.39).

7.8
2023-09-12 CVE-2023-41032 Siemens Out-of-bounds Write vulnerability in Siemens Parasolid and Simcenter Femap

A vulnerability has been identified in Parasolid V34.1 (All versions < V34.1.258), Parasolid V35.0 (All versions < V35.0.253), Parasolid V35.1 (All versions < V35.1.184), Parasolid V36.0 (All versions < V36.0.142), Simcenter Femap V2301 (All versions < V2301.0003), Simcenter Femap V2306 (All versions < V2306.0001).

7.8
2023-09-12 CVE-2023-41033 Siemens Out-of-bounds Write vulnerability in Siemens Parasolid and Simcenter Femap

A vulnerability has been identified in Parasolid V35.0 (All versions < V35.0.260), Parasolid V35.1 (All versions < V35.1.246), Parasolid V36.0 (All versions < V36.0.156), Simcenter Femap V2301 (All versions < V2301.0003), Simcenter Femap V2306 (All versions < V2306.0001).

7.8
2023-09-12 CVE-2023-41846 Siemens Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Siemens Tecnomatix 2201/2302

A vulnerability has been identified in Tecnomatix Plant Simulation V2201 (All versions < V2201.0008), Tecnomatix Plant Simulation V2302 (All versions < V2302.0002).

7.8
2023-09-12 CVE-2023-3039 Dell Improper Access Control vulnerability in Dell SD ROM Utility

SD ROM Utility, versions prior to 1.0.2.0 contain an Improper Access Control vulnerability.

7.8
2023-09-12 CVE-2023-25519 Nvidia Unspecified vulnerability in Nvidia products

NVIDIA ConnectX Host Firmware for the BlueField Data Processing Unit contains a vulnerability where a restricted host may cause an incorrect user management error.

7.8
2023-09-12 CVE-2023-41990 Apple Unspecified vulnerability in Apple products

The issue was addressed with improved handling of caches.

7.8
2023-09-11 CVE-2023-35665 Google Missing Authorization vulnerability in Google Android

In multiple files, there is a possible way to import a contact from another user due to a missing permission check.

7.8
2023-09-11 CVE-2023-35666 Google Use After Free vulnerability in Google Android

In bta_av_rc_msg of bta_av_act.cc, there is a possible use after free due to a logic error in the code.

7.8
2023-09-11 CVE-2023-35667 Google Unspecified vulnerability in Google Android

In updateList of NotificationAccessSettings.java, there is a possible way to hide approved notification listeners in the settings due to a logic error in the code.

7.8
2023-09-11 CVE-2023-35669 Google Deserialization of Untrusted Data vulnerability in Google Android

In checkKeyIntentParceledCorrectly of AccountManagerService.java, there is a possible way to control other running activities due to unsafe deserialization.

7.8
2023-09-11 CVE-2023-35670 Google Path Traversal vulnerability in Google Android

In computeValuesFromData of FileUtils.java, there is a possible way to insert files to other apps' external private directories due to a path traversal error.

7.8
2023-09-11 CVE-2023-35674 Google Unspecified vulnerability in Google Android

In onCreate of WindowState.java, there is a possible way to launch a background activity due to a logic error in the code.

7.8
2023-09-11 CVE-2023-35676 Google Unspecified vulnerability in Google Android 12.0/12.1/13.0

In createQuickShareAction of SaveImageInBackgroundTask.java, there is a possible way to trigger a background activity launch due to an unsafe PendingIntent.

7.8
2023-09-11 CVE-2023-35682 Google Unspecified vulnerability in Google Android

In hasPermissionForActivity of PackageManagerHelper.java, there is a possible way to start arbitrary components due to a confused deputy.

7.8
2023-09-11 CVE-2023-35687 Google Use After Free vulnerability in Google Android

In MtpPropertyValue of MtpProperty.h, there is a possible memory corruption due to a use after free.

7.8
2023-09-11 CVE-2023-31468 Inosoft Incorrect Default Permissions vulnerability in Inosoft Visiwin 7 20222.1

An issue was discovered in Inosoft VisiWin 7 through 2022-2.1 (Runtime RT7.3 RC3 20221209.5).

7.8
2023-09-11 CVE-2023-39063 Raidenftpd Classic Buffer Overflow vulnerability in Raidenftpd 2.4.4050

Buffer Overflow vulnerability in RaidenFTPD 2.4.4005 allows a local attacker to execute arbitrary code via the Server name field of the Step by step setup wizard.

7.8
2023-09-11 CVE-2023-39070 Cppchecksolutions Use After Free vulnerability in Cppchecksolutions Cppcheck 2.12.0

An issue in Cppcheck 2.12 dev allows a local attacker to execute arbitrary code via the removeContradiction parameter in token.cpp:1934.

7.8
2023-09-11 CVE-2020-24088 Foxconn Unspecified vulnerability in Foxconn Live Update Utility 2.1.6.26

An issue was discovered in MmMapIoSpace routine in Foxconn Live Update Utility 2.1.6.26, allows local attackers to escalate privileges.

7.8
2023-09-11 CVE-2019-16470 Adobe Out-of-bounds Write vulnerability in Adobe Acrobat DC

Adobe Acrobat Reader versions 2019.021.20056 and earlier are affected by a Stack-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user.

7.8
2023-09-11 CVE-2019-16471 Adobe Use After Free vulnerability in Adobe Acrobat DC

Adobe Acrobat Reader versions 2019.021.20056 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user.

7.8
2023-09-11 CVE-2022-28831 Adobe Out-of-bounds Write vulnerability in Adobe Indesign

Adobe InDesign versions 17.1 (and earlier) and 16.4.1 (and earlier) are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user.

7.8
2023-09-11 CVE-2022-28832 Adobe Out-of-bounds Read vulnerability in Adobe Indesign

Adobe InDesign versions 17.1 (and earlier) and 16.4.1 (and earlier) are affected by an out-of-bounds read vulnerability when parsing a crafted file, which could result in a read past the end of an allocated memory structure.

7.8
2023-09-11 CVE-2022-28833 Adobe Out-of-bounds Write vulnerability in Adobe Indesign

Adobe InDesign versions 17.1 (and earlier) and 16.4.1 (and earlier) are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user.

7.8
2023-09-11 CVE-2022-28834 Adobe Out-of-bounds Write vulnerability in Adobe Incopy

Adobe InCopy versions 17.1 (and earlier) and 16.4.1 (and earlier) are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user.

7.8
2023-09-11 CVE-2022-28835 Adobe Use After Free vulnerability in Adobe Incopy

Adobe InCopy versions 17.1 (and earlier) and 16.4.1 (and earlier) are affected by an Use-After-Free vulnerability that could result in arbitrary code execution in the context of the current user.

7.8
2023-09-11 CVE-2022-28836 Adobe Out-of-bounds Write vulnerability in Adobe Incopy

Adobe InCopy versions 17.1 (and earlier) and 16.4.1 (and earlier) are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user.

7.8
2023-09-11 CVE-2022-34224 Adobe Use After Free vulnerability in Adobe products

Adobe Acrobat Reader versions 22.001.20142 (and earlier), 20.005.30334 (and earlier) and 17.012.30229 (and earlier) are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user.

7.8
2023-09-11 CVE-2022-34227 Adobe Use After Free vulnerability in Adobe products

Adobe Acrobat Reader versions 22.001.20142 (and earlier), 20.005.30334 (and earlier) and 17.012.30229 (and earlier) are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user.

7.8
2023-09-17 CVE-2023-5027 Razormist SQL Injection vulnerability in Razormist Simple Membership System 1.0

A vulnerability classified as critical was found in SourceCodester Simple Membership System 1.0.

7.5
2023-09-15 CVE-2022-3261 Redhat Cleartext Transmission of Sensitive Information vulnerability in Redhat Openstack Platform 16.2

A flaw was found in OpenStack.

7.5
2023-09-15 CVE-2023-0813 Redhat Improper Authentication vulnerability in Redhat Network Observability 1.0

A flaw was found in the Network Observability plugin for OpenShift console.

7.5
2023-09-15 CVE-2023-41886 Openrefine SQL Injection vulnerability in Openrefine

OpenRefine is a powerful free, open source tool for working with messy data.

7.5
2023-09-15 CVE-2023-40018 Freeswitch Out-of-bounds Write vulnerability in Freeswitch

FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware.

7.5
2023-09-15 CVE-2022-47848 Bezeq Improper Authentication vulnerability in Bezeq Vtech Iad604-Il Firmware and Vtech Nb403-Il Firmware

An issue was discovered in Bezeq Vtech NB403-IL version BZ_2.02.07.09.13.01 and Vtech IAD604-IL versions BZ_2.02.07.09.13.01, BZ_2.02.07.09.13T, and BZ_2.02.07.09.09T, allows remote attackers to gain sensitive information via rootDesc.xml page of the UPnP service.

7.5
2023-09-15 CVE-2023-38039 Haxx
Fedoraproject
Microsoft
Allocation of Resources Without Limits or Throttling vulnerability in multiple products

When curl retrieves an HTTP response, it stores the incoming headers so that they can be accessed later via the libcurl headers API. However, curl did not have a limit in how many or how large headers it would accept in a response, allowing a malicious server to stream an endless series of headers and eventually cause curl to run out of heap memory.

7.5
2023-09-14 CVE-2023-29499 Gnome Resource Exhaustion vulnerability in Gnome Glib

A flaw was found in GLib.

7.5
2023-09-14 CVE-2023-32636 Gnome Deserialization of Untrusted Data vulnerability in Gnome Glib

A flaw was found in glib, where the gvariant deserialization code is vulnerable to a denial of service introduced by additional input validation added to resolve CVE-2023-29499.

7.5
2023-09-14 CVE-2023-1108 Redhat
Netapp
Infinite Loop vulnerability in multiple products

A flaw was found in undertow.

7.5
2023-09-14 CVE-2023-38205 Adobe Unspecified vulnerability in Adobe Coldfusion 2018/2021/2023

Adobe ColdFusion versions 2018u18 (and earlier), 2021u8 (and earlier) and 2023u2 (and earlier) are affected by an Improper Access Control vulnerability that could result in a Security feature bypass.

7.5
2023-09-13 CVE-2023-40850 Netentsec Unspecified vulnerability in Netentsec Ns-Asg Firmware 6.3

netentsec NS-ASG 6.3 is vulnerable to Incorrect Access Control.

7.5
2023-09-13 CVE-2023-20191 Cisco Incorrect Authorization vulnerability in Cisco IOS XR

A vulnerability in the access control list (ACL) processing on MPLS interfaces in the ingress direction of Cisco IOS XR Software could allow an unauthenticated, remote attacker to bypass a configured ACL. This vulnerability is due to incomplete support for this feature.

7.5
2023-09-13 CVE-2023-4785 Grpc Unspecified vulnerability in Grpc

Lack of error handling in the TCP server in Google's gRPC starting version 1.23 on posix-compatible platforms (ex.

7.5
2023-09-13 CVE-2023-4801 Proofpoint Improper Certificate Validation vulnerability in Proofpoint Insider Threat Management

An improper certification validation vulnerability in the Insider Threat Management (ITM) Agent for MacOS could be used by an anonymous actor on an adjacent network to establish a man-in-the-middle position between the agent and the ITM server after the agent has registered.

7.5
2023-09-13 CVE-2023-39914 Nlnetlabs Unspecified vulnerability in Nlnetlabs Bcder

NLnet Labs’ bcder library up to and including version 0.7.2 panics while decoding certain invalid input data rather than rejecting the data with an error.

7.5
2023-09-13 CVE-2023-39915 Nlnetlabs Unspecified vulnerability in Nlnetlabs Routinator

NLnet Labs’ Routinator up to and including version 0.12.1 may crash when trying to parse certain malformed RPKI objects.

7.5
2023-09-13 CVE-2023-41081 Apache Unspecified vulnerability in Apache Tomcat Connectors 1.2.0/1.2.40/1.2.48

Important: Authentication Bypass CVE-2023-41081 The mod_jk component of Apache Tomcat Connectors in some circumstances, such as when a configuration included "JkOptions +ForwardDirectories" but the configuration did not provide explicit mounts for all possible proxied requests, mod_jk would use an implicit mapping and map the request to the first defined worker. Such an implicit mapping could result in the unintended exposure of the status worker and/or bypass security constraints configured in httpd.

7.5
2023-09-12 CVE-2023-39208 Zoom Improper Input Validation vulnerability in Zoom

Improper input validation in Zoom Desktop Client for Linux before version 5.15.10 may allow an unauthenticated user to conduct a denial of service via network access.

7.5
2023-09-12 CVE-2023-36763 Microsoft Unspecified vulnerability in Microsoft products

Microsoft Outlook Information Disclosure Vulnerability

7.5
2023-09-12 CVE-2023-38149 Microsoft Resource Exhaustion vulnerability in Microsoft products

Windows TCP/IP Denial of Service Vulnerability

7.5
2023-09-12 CVE-2023-38162 Microsoft Resource Exhaustion vulnerability in Microsoft products

DHCP Server Service Denial of Service Vulnerability

7.5
2023-09-12 CVE-2023-4914 Cecil Path Traversal vulnerability in Cecil

Relative Path Traversal in GitHub repository cecilapp/cecil prior to 7.47.1.

7.5
2023-09-12 CVE-2023-28831 Siemens Integer Overflow or Wraparound vulnerability in Siemens products

The OPC UA implementations (ANSI C and C++) in affected products contain an integer overflow vulnerability that could cause the application to run into an infinite loop during certificate validation. This could allow an unauthenticated remote attacker to create a denial of service condition by sending a specially crafted certificate.

7.5
2023-09-12 CVE-2023-37879 Wftpserver Insecure Storage of Sensitive Information vulnerability in Wftpserver Wing FTP Server

Insecure storage of sensitive information in Wing FTP Server (User Web Client) allows information elicitation.This issue affects Wing FTP Server: <= 7.2.0.

7.5
2023-09-12 CVE-2022-48474 CBM Resource Exhaustion vulnerability in CBM Control DE Ciber 1.650

Control de Ciber, in its 1.650 version, is affected by a Denial of Service condition through the version function.

7.5
2023-09-12 CVE-2022-4896 CBM Resource Exhaustion vulnerability in CBM Control DE Ciber 1.650

Cyber Control, in its 1.650 version, is affected by a vulnerability in the generation on the server of pop-up windows with the messages "PNTMEDIDAS", "PEDIR", "HAYDISCOA" or "SPOOLER".

7.5
2023-09-12 CVE-2023-32558 Nodejs Path Traversal vulnerability in Nodejs Node.Js

The use of the deprecated API `process.binding()` can bypass the permission model through path traversal.

7.5
2023-09-12 CVE-2023-40308 SAP NULL Pointer Dereference vulnerability in SAP products

SAP CommonCryptoLib allows an unauthenticated attacker to craft a request, which when submitted to an open port causes a memory corruption error in a library which in turn causes the target component to crash making it unavailable.

7.5
2023-09-12 CVE-2023-40440 Apple Unspecified vulnerability in Apple Macos

This issue was addressed with improved state management of S/MIME encrypted emails.

7.5
2023-09-12 CVE-2023-4898 Mintplexlabs Unspecified vulnerability in Mintplexlabs Anything-Llm

Authentication Bypass by Primary Weakness in GitHub repository mintplex-labs/anything-llm prior to 0.0.1.

7.5
2023-09-11 CVE-2023-41879 Openmage Use of Insufficiently Random Values vulnerability in Openmage Magento

Magento LTS is the official OpenMage LTS codebase.

7.5
2023-09-11 CVE-2023-38256 Doverfuelingsolutions Path Traversal vulnerability in Doverfuelingsolutions Maglink LX web Console Configuration

Dover Fueling Solutions MAGLINK LX Web Console Configuration versions 2.5.1, 2.5.2, 2.5.3, 2.6.1, 2.11, 3.0, 3.2, and 3.3 vulnerable to a path traversal attack, which could allow an attacker to access files stored on the system.

7.5
2023-09-11 CVE-2023-39227 Softneta Unprotected Storage of Credentials vulnerability in Softneta Meddream Pacs

?Softneta MedDream PACS stores usernames and passwords in plaintext.

7.5
2023-09-11 CVE-2023-4278 Stylemixthemes Unspecified vulnerability in Stylemixthemes Masterstudy LMS

The MasterStudy LMS WordPress Plugin WordPress plugin before 3.0.18 does not have proper checks in place during registration allowing anyone to register on the site as an instructor.

7.5
2023-09-11 CVE-2020-19323 Dlink Out-of-bounds Write vulnerability in Dlink Dir-619L Firmware 2.06

An issue was discovered in /bin/mini_upnpd on D-Link DIR-619L 2.06beta devices.

7.5
2023-09-11 CVE-2023-39068 Xiongmaitech Classic Buffer Overflow vulnerability in Xiongmaitech Nb080S09S-Klc Firmware and Nbd80N32Ra-Kl-V3 Firmware

Buffer Overflow vulnerability in NBD80S09S-KLC v.YK_HZXM_NBD80S09S-KLC_V4.03.R11.7601.Nat.OnvifC.20230414.bin and NBD80N32RA-KL-V3 v.YK_HZXM_NBD80N32RA-KL_V4.03.R11.7601.Nat.OnvifC.20220120.bin allows a remote attacker to casue a denial of service via a crafted request to the service.XM component.

7.5
2023-09-11 CVE-2023-36161 Quboworld Unspecified vulnerability in Quboworld Smart Plug 10A Firmware Hsp02010114System10A

An issue was discovered in Qubo Smart Plug 10A version HSP02_01_01_14_SYSTEM-10A, allows attackers to cause a denial of service (DoS) via Wi-Fi deauthentication.

7.5
2023-09-11 CVE-2023-4583 Mozilla Unspecified vulnerability in Mozilla Thunderbird

When checking if the Browsing Context had been discarded in `HttpBaseChannel`, if the load group was not available then it was assumed to have already been discarded which was not always the case for private channels after the private session had ended.

7.5
2023-09-12 CVE-2023-40729 Siemens Cleartext Transmission of Sensitive Information vulnerability in Siemens QMS Automotive 12.30

A vulnerability has been identified in QMS Automotive (All versions < V12.39).

7.4
2023-09-12 CVE-2023-36762 Microsoft Unspecified vulnerability in Microsoft products

Microsoft Word Remote Code Execution Vulnerability

7.3
2023-09-12 CVE-2023-40724 Siemens Cleartext Storage of Sensitive Information in Memory vulnerability in Siemens QMS Automotive 12.30

A vulnerability has been identified in QMS Automotive (All versions < V12.39).

7.3
2023-09-12 CVE-2023-42472 SAP Unrestricted Upload of File with Dangerous Type vulnerability in SAP Businessobjects Business Intelligence Platform 420

Due to insufficient file type validation, SAP BusinessObjects Business Intelligence Platform (Web Intelligence HTML interface) - version 420, allows a report creator to upload files from local system into the report over the network.

7.3
2023-09-16 CVE-2023-3025 Hynotech Unspecified vulnerability in Hynotech Dropbox Folder Share 1.9.7

The Dropbox Folder Share plugin for WordPress is vulnerable to Server-Side Request Forgery in versions up to, and including, 1.9.7 via the 'link' parameter.

7.2
2023-09-13 CVE-2023-23840 Solarwinds Incorrect Comparison vulnerability in Solarwinds Orion Platform

The SolarWinds Platform was susceptible to the Incorrect Comparison Vulnerability.

7.2
2023-09-13 CVE-2023-23845 Solarwinds Incorrect Comparison vulnerability in Solarwinds Orion Platform

The SolarWinds Platform was susceptible to the Incorrect Comparison Vulnerability.

7.2
2023-09-13 CVE-2023-4928 Instantcms SQL Injection vulnerability in Instantcms Icms2

SQL Injection in GitHub repository instantsoft/icms2 prior to 2.16.1.

7.2
2023-09-12 CVE-2023-21521 Blackberry SQL Injection vulnerability in Blackberry Athoc 7.15

An SQL Injection vulnerability in the Management Console? (Operator Audit Trail) of BlackBerry AtHoc version 7.15 could allow an attacker to potentially read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database, recover the content of a given file present on the DBMS file system and in some cases issue commands to the operating system.

7.2
2023-09-12 CVE-2023-38156 Microsoft Unspecified vulnerability in Microsoft Azure Hdinsights

Azure HDInsight Apache Ambari JDBC Injection Elevation of Privilege Vulnerability

7.2
2023-09-12 CVE-2022-24093 Adobe Improper Input Validation vulnerability in Adobe Commerce and Magento Open Source

Adobe Commerce versions 2.4.3-p1 (and earlier) and 2.3.7-p2 (and earlier) are affected by an improper input validation vulnerability.

7.2
2023-09-11 CVE-2023-4314 TMS Outsource Unspecified vulnerability in Tms-Outsource Wpdatatables

The wpDataTables WordPress plugin before 2.1.66 does not validate the "Serialized PHP array" input data before deserializing the data.

7.2
2023-09-11 CVE-2023-38743 Zohocorp Unspecified vulnerability in Zohocorp Manageengine Admanager Plus

Zoho ManageEngine ADManager Plus before Build 7200 allows admin users to execute commands on the host machine.

7.2
2023-09-15 CVE-2023-36562 Microsoft Unspecified vulnerability in Microsoft Edge Chromium

Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability

7.1
2023-09-14 CVE-2023-25584 GNU Out-of-bounds Read vulnerability in GNU Binutils

An out-of-bounds read flaw was found in the parse_module function in bfd/vms-alpha.c in Binutils.

7.1
2023-09-14 CVE-2023-4814 Trellix Incorrect Authorization vulnerability in Trellix Data Loss Prevention 11.10.100.17

A Privilege escalation vulnerability exists in Trellix Windows DLP endpoint for windows which can be abused to delete any file/folder for which the user does not have permission to.

7.1
2023-09-12 CVE-2023-40623 SAP Unspecified vulnerability in SAP Businessobjects 420/430

SAP BusinessObjects Suite Installer - version 420, 430, allows an attacker within the network to create a directory under temporary directory and link it to a directory with operating system files.

7.1
2023-09-15 CVE-2023-3891 Lapce Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in Lapce 0.2.8

Race condition in Lapce v0.2.8 allows an attacker to elevate privileges on the system

7.0
2023-09-13 CVE-2023-20135 Cisco Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in Cisco IOS XR

A vulnerability in Cisco IOS XR Software image verification checks could allow an authenticated, local attacker to execute arbitrary code on the underlying operating system. This vulnerability is due to a time-of-check, time-of-use (TOCTOU) race condition when an install query regarding an ISO image is performed during an install operation that uses an ISO image.

7.0
2023-09-12 CVE-2023-36805 Microsoft Unspecified vulnerability in Microsoft products

Windows MSHTML Platform Security Feature Bypass Vulnerability

7.0
2023-09-11 CVE-2023-27470 N Able Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in N-Able Take Control 7.0.41.1141

BASupSrvcUpdater.exe in N-able Take Control Agent through 7.0.41.1141 before 7.0.43 has a TOCTOU Race Condition via a pseudo-symlink at %PROGRAMDATA%\GetSupportService_N-Central\PushUpdates, leading to arbitrary file deletion.

7.0

217 Medium Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2023-09-15 CVE-2023-4680 Hashicorp Improper Input Validation vulnerability in Hashicorp Vault

HashiCorp Vault and Vault Enterprise transit secrets engine allowed authorized users to specify arbitrary nonces, even with convergent encryption disabled.

6.8
2023-09-15 CVE-2023-41325 Linaro Double Free vulnerability in Linaro Op-Tee 3.20.0/3.21.0/3.22.0

OP-TEE is a Trusted Execution Environment (TEE) designed as companion to a non-secure Linux kernel running on Arm; Cortex-A cores using the TrustZone technology.

6.7
2023-09-15 CVE-2023-32461 Dell Heap-based Buffer Overflow vulnerability in Dell products

Dell PowerEdge BIOS and Dell Precision BIOS contain a buffer overflow vulnerability.

6.7
2023-09-12 CVE-2022-47637 Apachefriends Improper Preservation of Permissions vulnerability in Apachefriends Xampp

The installer in XAMPP through 8.1.12 allows local users to write to the C:\xampp directory.

6.7
2023-09-12 CVE-2023-39201 Zoom Untrusted Search Path vulnerability in Zoom Cleanzoom

Untrusted search path in CleanZoom before file date 07/24/2023 may allow a privileged user to conduct an escalation of privilege via local access.

6.7
2023-09-12 CVE-2023-36759 Microsoft Unspecified vulnerability in Microsoft Visual Studio 2019

Visual Studio Elevation of Privilege Vulnerability

6.7
2023-09-15 CVE-2023-42439 Geosolutionsgroup Server-Side Request Forgery (SSRF) vulnerability in Geosolutionsgroup Geonode

GeoNode is an open source platform that facilitates the creation, sharing, and collaborative use of geospatial data.

6.5
2023-09-15 CVE-2023-38706 Discourse Allocation of Resources Without Limits or Throttling vulnerability in Discourse

Discourse is an open-source discussion platform.

6.5
2023-09-15 CVE-2023-40019 Freeswitch Allocation of Resources Without Limits or Throttling vulnerability in Freeswitch

FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware.

6.5
2023-09-15 CVE-2023-40588 Discourse Allocation of Resources Without Limits or Throttling vulnerability in Discourse

Discourse is an open-source discussion platform.

6.5
2023-09-15 CVE-2023-41042 Discourse Allocation of Resources Without Limits or Throttling vulnerability in Discourse

Discourse is an open-source discussion platform.

6.5
2023-09-15 CVE-2023-41043 Discourse Allocation of Resources Without Limits or Throttling vulnerability in Discourse

Discourse is an open-source discussion platform.

6.5
2023-09-15 CVE-2023-4984 Didiglobal Unprotected Storage of Credentials vulnerability in Didiglobal Knowsearch 0.3.1.2/0.3.2

A vulnerability was found in didi KnowSearch 0.3.2/0.3.1.2.

6.5
2023-09-15 CVE-2023-4959 Redhat Cross-Site Request Forgery (CSRF) vulnerability in Redhat Quay 3.0.0

A flaw was found in Quay.

6.5
2023-09-14 CVE-2023-37739 I Doit Path Traversal vulnerability in I-Doit

i-doit Pro v25 and below was discovered to be vulnerable to path traversal.

6.5
2023-09-14 CVE-2023-42178 Lenosp SQL Injection vulnerability in Lenosp

Lenosp 1.0.0-1.2.0 is vulnerable to SQL Injection via the log query module.

6.5
2023-09-13 CVE-2023-4568 Papercut Improper Authentication vulnerability in Papercut NG

PaperCut NG allows for unauthenticated XMLRPC commands to be run by default.

6.5
2023-09-13 CVE-2023-20233 Cisco Improper Validation of Integrity Check Value vulnerability in Cisco IOS XR

A vulnerability in the Connectivity Fault Management (CFM) feature of Cisco IOS XR Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. This vulnerability is due to incorrect processing of invalid continuity check messages (CCMs).

6.5
2023-09-13 CVE-2023-3255 Qemu
Redhat
Fedoraproject
Infinite Loop vulnerability in multiple products

A flaw was found in the QEMU built-in VNC server while processing ClientCutText messages.

6.5
2023-09-13 CVE-2023-39916 Nlnetlabs Path Traversal vulnerability in Nlnetlabs Routinator

NLnet Labs’ Routinator 0.9.0 up to and including 0.12.1 contains a possible path traversal vulnerability in the optional, off-by-default keep-rrdp-responses feature that allows users to store the content of responses received for RRDP requests.

6.5
2023-09-13 CVE-2023-25608 Fortinet Unspecified vulnerability in Fortinet products

An incomplete filtering of one or more instances of special elements vulnerability [CWE-792] in the command line interpreter of FortiAP-W2 7.2.0 through 7.2.1, 7.0.3 through 7.0.5, 7.0.0 through 7.0.1, 6.4 all versions, 6.2 all versions, 6.0 all versions; FortiAP-C 5.4.0 through 5.4.4, 5.2 all versions; FortiAP 7.2.0 through 7.2.1, 7.0.0 through 7.0.5, 6.4 all versions, 6.0 all versions; FortiAP-U 7.0.0, 6.2.0 through 6.2.5, 6.0 all versions, 5.4 all versions may allow an authenticated attacker to read arbitrary files via specially crafted command arguments.

6.5
2023-09-13 CVE-2023-4400 Skyhighsecurity Cleartext Storage of Sensitive Information vulnerability in Skyhighsecurity Secure web Gateway 10.0.0/11.0.0/12.0.0

A password management vulnerability in Skyhigh Secure Web Gateway (SWG) in main releases 11.x prior to 11.2.14, 10.x prior to 10.2.25 and controlled release 12.x prior to 12.2.1, allows some authentication information stored in configuration files to be extracted through SWG REST API.

6.5
2023-09-13 CVE-2023-4917 TE ST Unspecified vulnerability in Te-St Leyka

The Leyka plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 3.30.3 via the 'leyka_ajax_get_env_and_options' function.

6.5
2023-09-12 CVE-2023-39215 Zoom Improper Authentication vulnerability in Zoom Meeting Software Development KIT and Zoom

Improper authentication in Zoom clients may allow an authenticated user to conduct a denial of service via network access.

6.5
2023-09-12 CVE-2023-36761 Microsoft Unspecified vulnerability in Microsoft products

Microsoft Word Information Disclosure Vulnerability

6.5
2023-09-12 CVE-2023-36799 Microsoft Unspecified vulnerability in Microsoft .Net and Visual Studio 2022

.NET Core and Visual Studio Denial of Service Vulnerability

6.5
2023-09-12 CVE-2023-27169 Xpand IT Use of Hard-coded Credentials vulnerability in Xpand-It Write-Back Manager 2.3.1

Xpand IT Write-back manager v2.3.1 uses a hardcoded salt in license class configuration which leads to the generation of a hardcoded and predictable symmetric encryption keys for license generation and validation.

6.5
2023-09-12 CVE-2023-40712 Apache Information Exposure vulnerability in Apache Airflow

Apache Airflow, versions before 2.7.1, is affected by a vulnerability that allows authenticated users who have access to see the task/dag in the UI, to craft a URL, which could lead to unmasking the secret configuration of the task that otherwise would be masked in the UI. Users are strongly advised to upgrade to version 2.7.1 or later which has removed the vulnerability.

6.5
2023-09-11 CVE-2023-41336 Symfony Improper Input Validation vulnerability in Symfony UX Autocomplete

ux-autocomplete is a JavaScript Autocomplete functionality for Symfony.

6.5
2023-09-11 CVE-2023-4574 Mozilla Use After Free vulnerability in Mozilla Thunderbird

When creating a callback over IPC for showing the Color Picker window, multiple of the same callbacks could have been created at a time and eventually all simultaneously destroyed as soon as one of the callbacks finished.

6.5
2023-09-11 CVE-2023-4575 Mozilla Use After Free vulnerability in Mozilla Thunderbird

When creating a callback over IPC for showing the File Picker window, multiple of the same callbacks could have been created at a time and eventually all simultaneously destroyed as soon as one of the callbacks finished.

6.5
2023-09-11 CVE-2023-4577 Mozilla Unspecified vulnerability in Mozilla Thunderbird

When `UpdateRegExpStatics` attempted to access `initialStringHeap` it could already have been garbage collected prior to entering the function, which could potentially have led to an exploitable crash.

6.5
2023-09-11 CVE-2023-4578 Mozilla Allocation of Resources Without Limits or Throttling vulnerability in Mozilla Thunderbird

When calling `JS::CheckRegExpSyntax` a Syntax Error could have been set which would end in calling `convertToRuntimeErrorAndClear`.

6.5
2023-09-11 CVE-2023-4580 Mozilla Missing Encryption of Sensitive Data vulnerability in Mozilla Thunderbird

Push notifications stored on disk in private browsing mode were not being encrypted potentially allowing the leak of sensitive information.

6.5
2023-09-11 CVE-2023-4573 Mozilla Use After Free vulnerability in Mozilla Thunderbird

When receiving rendering data over IPC `mStream` could have been destroyed when initialized, which could have led to a use-after-free causing a potentially exploitable crash.

6.5
2023-09-16 CVE-2023-4994 Hitreach Unspecified vulnerability in Hitreach Allow PHP in Posts and Pages 3.0.4

The Allow PHP in Posts and Pages plugin for WordPress is vulnerable to Remote Code Execution in versions up to, and including, 3.0.4 via the 'php' shortcode.

6.4
2023-09-12 CVE-2023-40621 SAP Code Injection vulnerability in SAP Powerdesigner 16.7

SAP PowerDesigner Client - version 16.7, allows an unauthenticated attacker to inject VBScript code in a document and have it opened by an unsuspecting user, to have it executed by the application on behalf of the user.

6.3
2023-09-17 CVE-2023-5026 Tongda2000 Cross-site Scripting vulnerability in Tongda2000 Tongda Office Anywhere 11.10

A vulnerability classified as problematic has been found in Tongda OA 11.10.

6.1
2023-09-17 CVE-2023-38040 Revive Adserver Cross-site Scripting vulnerability in Revive-Adserver Revive Adserver

A reflected XSS vulnerability exists in Revive Adserver 5.4.1 and earlier versions..

6.1
2023-09-17 CVE-2023-5021 Oretnom23 Cross-site Scripting vulnerability in Oretnom23 AC Repair and Services System 1.0

A vulnerability, which was classified as problematic, was found in SourceCodester AC Repair and Services System 1.0.

6.1
2023-09-17 CVE-2023-5015 Ucms Project Cross-site Scripting vulnerability in Ucms Project Ucms 1.4.7

A vulnerability was found in UCMS 1.4.7.

6.1
2023-09-15 CVE-2023-36727 Microsoft Unspecified vulnerability in Microsoft Edge Chromium

Microsoft Edge (Chromium-based) Spoofing Vulnerability

6.1
2023-09-15 CVE-2023-4983 App1Pro Cross-site Scripting vulnerability in App1Pro Shopicial 20230830

A vulnerability was found in app1pro Shopicial up to 20230830.

6.1
2023-09-15 CVE-2023-4663 Saphira Cross-site Scripting vulnerability in Saphira Connect

Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Saphira Saphira Connect allows Reflected XSS.This issue affects Saphira Connect: before 9.

6.1
2023-09-15 CVE-2023-40983 Webmin Cross-site Scripting vulnerability in Webmin 2.100

A reflected cross-site scripting (XSS) vulnerability in the File Manager function of Webmin v2.100 allows attackers to execute malicious scripts via injecting a crafted payload into the Find in Results file.

6.1
2023-09-15 CVE-2023-4973 Creativeitem Cross-site Scripting vulnerability in Creativeitem Academy LMS 6.2

A vulnerability was found in Academy LMS 6.2 on Windows.

6.1
2023-09-15 CVE-2023-4978 Librenms Cross-site Scripting vulnerability in Librenms

Cross-site Scripting (XSS) - DOM in GitHub repository librenms/librenms prior to 23.9.0.

6.1
2023-09-14 CVE-2023-40869 Moosocial Cross-site Scripting vulnerability in Moosocial 3.1.6/3.1.7

Cross Site Scripting vulnerability in mooSocial mooSocial Software 3.1.6 and 3.1.7 allows a remote attacker to execute arbitrary code via a crafted script to the edit_menu, copuon, and group_categorias functions.

6.1
2023-09-14 CVE-2023-41588 Appfire Cross-site Scripting vulnerability in Appfire Time to SLA 10.13.5

A cross-site scripting (XSS) vulnerability in Time to SLA plugin v10.13.5 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the durationFormat parameter.

6.1
2023-09-14 CVE-2023-4676 Yordam Cross-site Scripting vulnerability in Yordam Medaspro

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Yordam MedasPro allows Reflected XSS.This issue affects MedasPro: before 28.

6.1
2023-09-14 CVE-2023-40779 Icewarp Open Redirect vulnerability in Icewarp Deep Castle G2 13.0.1.2

An issue in IceWarp Mail Server Deep Castle 2 v.13.0.1.2 allows a remote attacker to execute arbitrary code via a crafted request to the URL.

6.1
2023-09-13 CVE-2023-40617 Openknowledgemaps Cross-site Scripting vulnerability in Openknowledgemaps Head Start 7

A reflected cross-site scripting (XSS) vulnerability in OpenKnowledgeMaps Head Start 7 allows remote attackers to execute arbitrary JavaScript in the web browser of a user, by including a malicious payload into the 'file' parameter in 'displayPDF.php'.

6.1
2023-09-13 CVE-2023-41162 Webmin Cross-site Scripting vulnerability in Webmin Usermin 2.000

A Reflected Cross-site scripting (XSS) vulnerability in the file manager tab in Usermin 2.000 allows remote attackers to inject arbitrary web script or HTML via the file mask field while searching under the tools drop down.

6.1
2023-09-13 CVE-2023-29305 Adobe Cross-site Scripting vulnerability in Adobe Connect

Adobe Connect versions 12.3 and earlier are affected by a reflected Cross-Site Scripting (XSS) vulnerability.

6.1
2023-09-13 CVE-2023-29306 Adobe Cross-site Scripting vulnerability in Adobe Connect

Adobe Connect versions 12.3 and earlier are affected by a reflected Cross-Site Scripting (XSS) vulnerability.

6.1
2023-09-12 CVE-2023-21522 Blackberry Cross-site Scripting vulnerability in Blackberry Athoc 7.15

A Reflected Cross-site Scripting (XSS) vulnerability in the Management Console (Reports) of BlackBerry AtHoc version 7.15 could allow an attacker to potentially control a script that is executed in the victim's browser then they can execute script commands in the context of the affected user account. 

6.1
2023-09-12 CVE-2023-4913 Cecil Cross-site Scripting vulnerability in Cecil

Cross-site Scripting (XSS) - Reflected in GitHub repository cecilapp/cecil prior to 7.47.1.

6.1
2023-09-12 CVE-2023-41013 Icewarp Cross-site Scripting vulnerability in Icewarp 10.3.1

Cross Site Scripting (XSS) in Webmail Calendar in IceWarp 10.3.1 allows remote attackers to inject arbitrary web script or HTML via the "p4" field.

6.1
2023-09-12 CVE-2023-26142 Crowcpp Injection vulnerability in Crowcpp Crow 1.0+5

All versions of the package crow are vulnerable to HTTP Response Splitting when untrusted user input is used to build header values.

6.1
2023-09-11 CVE-2023-38878 Devcode Cross-site Scripting vulnerability in Devcode Openstamanager

A reflected cross-site scripting (XSS) vulnerability in DevCode OpenSTAManager versions 2.4.24 to 2.4.47 may allow a remote attacker to execute arbitrary JavaScript in the web browser of a victim by injecting a malicious payload into the 'error' and 'error_description' parameters of 'oauth2.php'.

6.1
2023-09-11 CVE-2023-2705 Gappointments Unspecified vulnerability in Gappointments

The gAppointments WordPress plugin before 1.10.0 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against admin

6.1
2023-09-11 CVE-2023-3169 Tagdiv Unspecified vulnerability in Tagdiv Composer

The tagDiv Composer WordPress plugin before 4.2, used as a companion by the Newspaper and Newsmag themes from tagDiv, does not have authorisation in a REST route and does not validate as well as escape some parameters when outputting them back, which could allow unauthenticated users to perform Stored Cross-Site Scripting attacks.

6.1
2023-09-11 CVE-2023-4270 Codeastrology Unspecified vulnerability in Codeastrology MIN MAX Control

The Min Max Control WordPress plugin before 4.6 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.

6.1
2023-09-11 CVE-2023-4294 Kaizencoders Unspecified vulnerability in Kaizencoders URL Shortify

The URL Shortify WordPress plugin before 1.7.6 does not properly escape the value of the referer header, thus allowing an unauthenticated attacker to inject malicious javascript that will trigger in the plugins admin panel with statistics of the created short link.

6.1
2023-09-11 CVE-2023-39067 Zlmediakit Cross-site Scripting vulnerability in Zlmediakit 4.0/5.0

Cross Site Scripting vulnerability in ZLMediaKiet v.4.0 and v.5.0 allows an attacker to execute arbitrary code via a crafted script to the URL.

6.1
2023-09-11 CVE-2023-41609 Couchcms Open Redirect vulnerability in Couchcms 2.3

An open redirect vulnerability in the sanitize_url() parameter of CouchCMS v2.3 allows attackers to redirect a victim user to an arbitrary web site via a crafted URL.

6.1
2023-09-12 CVE-2023-4813 GNU
Redhat
Fedoraproject
Netapp
Use After Free vulnerability in multiple products

A flaw was found in glibc.

5.9
2023-09-15 CVE-2023-36472 Strapi Information Exposure vulnerability in Strapi

Strapi is an open-source headless content management system.

5.7
2023-09-12 CVE-2023-36777 Microsoft Unspecified vulnerability in Microsoft Exchange Server 2016/2019

Microsoft Exchange Server Information Disclosure Vulnerability

5.7
2023-09-13 CVE-2023-3301 Qemu
Redhat
Race Condition vulnerability in multiple products

A flaw was found in QEMU.

5.6
2023-09-13 CVE-2023-4155 Linux
Redhat
Fedoraproject
Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in multiple products

A flaw was found in KVM AMD Secure Encrypted Virtualization (SEV) in the Linux kernel.

5.6
2023-09-16 CVE-2023-36160 Quboworld Unspecified vulnerability in Quboworld Smart Plug 10A Firmware Hsp02010114System10A

An issue was discovered in Qubo Smart Plug10A version HSP02_01_01_14_SYSTEM-10 A, allows local attackers to gain sensitive information and other unspecified impact via UART console.

5.5
2023-09-14 CVE-2023-25585 GNU Use of Uninitialized Resource vulnerability in GNU Binutils 2.40

A flaw was found in Binutils.

5.5
2023-09-14 CVE-2023-25586 GNU Use of Uninitialized Resource vulnerability in GNU Binutils 2.40

A flaw was found in Binutils.

5.5
2023-09-14 CVE-2023-25588 GNU Use of Uninitialized Resource vulnerability in GNU Binutils 2.40

A flaw was found in Binutils.

5.5
2023-09-14 CVE-2023-32611 Gnome Resource Exhaustion vulnerability in Gnome Glib

A flaw was found in GLib.

5.5
2023-09-14 CVE-2023-32665 Gnome Deserialization of Untrusted Data vulnerability in Gnome Glib

A flaw was found in GLib.

5.5
2023-09-14 CVE-2023-41010 Tianyisc Insufficiently Protected Credentials vulnerability in Tianyisc Tewa-700G Firmware

Insecure Permissions vulnerability in Sichuan Tianyi Kanghe Communication Co., Ltd China Telecom Tianyi Home Gateway v.TEWA-700G allows a local attacker to obtain sensitive information via the default password parameter.

5.5
2023-09-14 CVE-2023-38558 Siemens Exposure of Resource to Wrong Sphere vulnerability in Siemens Simatic PCS NEO 4.0

A vulnerability has been identified in SIMATIC PCS neo (Administration Console) V4.0 (All versions), SIMATIC PCS neo (Administration Console) V4.0 Update 1 (All versions).

5.5
2023-09-14 CVE-2023-42503 Apache Unspecified vulnerability in Apache Commons Compress

Improper Input Validation, Uncontrolled Resource Consumption vulnerability in Apache Commons Compress in TAR parsing.This issue affects Apache Commons Compress: from 1.22 before 1.24.0. Users are recommended to upgrade to version 1.24.0, which fixes the issue. A third party can create a malformed TAR file by manipulating file modification times headers, which when parsed with Apache Commons Compress, will cause a denial of service issue via CPU consumption. In version 1.22 of Apache Commons Compress, support was added for file modification times with higher precision (issue # COMPRESS-612 [1]).

5.5
2023-09-13 CVE-2023-3280 Paloaltonetworks Improper Handling of Exceptional Conditions vulnerability in Paloaltonetworks Cortex XDR Agent

A problem with a protection mechanism in the Palo Alto Networks Cortex XDR agent on Windows devices allows a local user to disable the agent.

5.5
2023-09-13 CVE-2023-40715 Fortinet Cleartext Storage of Sensitive Information vulnerability in Fortinet Fortitester

A cleartext storage of sensitive information vulnerability [CWE-312] in FortiTester 2.3.0 through 7.2.3 may allow an attacker with access to the DB contents to retrieve the plaintext password of external servers configured in the device.

5.5
2023-09-12 CVE-2023-36766 Microsoft Unspecified vulnerability in Microsoft products

Microsoft Excel Information Disclosure Vulnerability

5.5
2023-09-12 CVE-2023-36803 Microsoft Out-of-bounds Read vulnerability in Microsoft products

Windows Kernel Information Disclosure Vulnerability

5.5
2023-09-12 CVE-2023-38140 Microsoft Unspecified vulnerability in Microsoft products

Windows Kernel Information Disclosure Vulnerability

5.5
2023-09-12 CVE-2023-38160 Microsoft Exposure of Resource to Wrong Sphere vulnerability in Microsoft products

Windows TCP/IP Information Disclosure Vulnerability

5.5
2023-09-12 CVE-2023-41764 Microsoft Unspecified vulnerability in Microsoft products

Microsoft Office Spoofing Vulnerability

5.5
2023-09-11 CVE-2023-35664 Google Out-of-bounds Read vulnerability in Google Android 12.0/12.1/13.0

In convertSubgraphFromHAL of ShimConverter.cpp, there is a possible out of bounds read due to a missing bounds check.

5.5
2023-09-11 CVE-2023-35671 Google Unspecified vulnerability in Google Android

In onHostEmulationData of HostEmulationManager.java, there is a possible way for a general purpose NFC reader to read the full card number and expiry details when the device is in locked screen mode due to a logic error in the code.

5.5
2023-09-11 CVE-2023-35675 Google Unspecified vulnerability in Google Android

In loadMediaResumptionControls of MediaResumeListener.kt, there is a possible way to play and listen to media files played by another user on the same device due to a logic error in the code.

5.5
2023-09-11 CVE-2023-35677 Google Unspecified vulnerability in Google Android

In onCreate of DeviceAdminAdd.java, there is a possible way to forcibly add a device admin due to a missing permission check.

5.5
2023-09-11 CVE-2023-35679 Google Out-of-bounds Read vulnerability in Google Android

In MtpPropertyValue of MtpProperty.h, there is a possible out of bounds read due to uninitialized data.

5.5
2023-09-11 CVE-2023-35680 Google Unspecified vulnerability in Google Android

In multiple locations, there is a possible way to import contacts belonging to other users due to a confused deputy.

5.5
2023-09-11 CVE-2023-35683 Google SQL Injection vulnerability in Google Android

In bindSelection of DatabaseUtils.java, there is a possible way to access files from other applications due to SQL injection.

5.5
2023-09-11 CVE-2023-40032 Libvips NULL Pointer Dereference vulnerability in Libvips

libvips is a demand-driven, horizontally threaded image processing library.

5.5
2023-09-11 CVE-2023-41000 Gpac Use After Free vulnerability in Gpac

GPAC through 2.2.1 has a use-after-free vulnerability in the function gf_bifs_flush_command_list in bifs/memory_decoder.c.

5.5
2023-09-11 CVE-2019-7819 Adobe Out-of-bounds Read vulnerability in Adobe Acrobat DC

Adobe Acrobat Reader versions 2019.010.20098 and earlier are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory.

5.5
2023-09-11 CVE-2022-34238 Adobe Out-of-bounds Read vulnerability in Adobe products

Acrobat Reader versions 22.001.20142 (and earlier), 20.005.30334 (and earlier) and 20.005.30334 (and earlier) are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory.

5.5
2023-09-11 CVE-2023-4104 Mozilla Missing Authorization vulnerability in Mozilla VPN

An invalid Polkit Authentication check and missing authentication requirements for D-Bus methods allowed any local user to configure arbitrary VPN setups. *This bug only affects Mozilla VPN on Linux.

5.5
2023-09-11 CVE-2023-42467 Qemu Divide By Zero vulnerability in Qemu

QEMU through 8.0.0 could trigger a division by zero in scsi_disk_reset in hw/scsi/scsi-disk.c because scsi_disk_emulate_mode_select does not prevent s->qdev.blocksize from being 256.

5.5
2023-09-17 CVE-2023-5025 Koha Cross-site Scripting vulnerability in Koha

A vulnerability was found in KOHA up to 23.05.03.

5.4
2023-09-16 CVE-2023-5013 Pluck CMS Cross-site Scripting vulnerability in Pluck-Cms Pluck 4.7.18

A vulnerability has been found in Pluck CMS 4.7.18 and classified as problematic.

5.4
2023-09-16 CVE-2023-41157 Webmin Cross-site Scripting vulnerability in Webmin Usermin 2.000

Multiple stored cross-site scripting (XSS) vulnerabilities in Usermin 2.000 allow remote attackers to inject arbitrary web script or HTML via the folder name parameter while creating the folder to manage the folder tab, filter tab, and forward mail tab.

5.4
2023-09-16 CVE-2023-5001 Gopiplus Cross-site Scripting vulnerability in Gopiplus Horizontal Scrolling Announcement 9.2

The Horizontal scrolling announcement for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'horizontal-scrolling' shortcode in versions up to, and including, 9.2 due to insufficient input sanitization and output escaping on user supplied attributes.

5.4
2023-09-16 CVE-2023-39777 Vbulletin Cross-site Scripting vulnerability in Vbulletin

A cross-site scripting (XSS) vulnerability in the Admin Control Panel of vBulletin 5.7.5 and 6.0.0 allows attackers to execute arbitrary web scripts or HTML via the /login.php?do=login url parameter.

5.4
2023-09-16 CVE-2023-41436 Cskaza Cross-site Scripting vulnerability in Cskaza Cszcms 1.3.0

Cross Site Scripting vulnerability in CSZCMS v.1.3.0 allows a local attacker to execute arbitrary code via a crafted script to the Additional Meta Tag parameter in the Pages Content Menu component.

5.4
2023-09-15 CVE-2023-40982 Webmin Cross-site Scripting vulnerability in Webmin 2.100

A stored cross-site scripting (XSS) vulnerability in Webmin v2.100 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the cloned module name parameter.

5.4
2023-09-15 CVE-2023-4963 Webshouters Unspecified vulnerability in Webshouters WS Facebook Like BOX Widget

The WS Facebook Like Box Widget for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'ws-facebook-likebox' shortcode in versions up to, and including, 5.0 due to insufficient input sanitization and output escaping on user supplied attributes.

5.4
2023-09-15 CVE-2023-40984 Webmin Cross-site Scripting vulnerability in Webmin 2.100

A reflected cross-site scripting (XSS) vulnerability in the File Manager function of Webmin v2.100 allows attackers to execute malicious scripts via injecting a crafted payload into the Replace in Results file.

5.4
2023-09-15 CVE-2023-40985 Webmin Cross-site Scripting vulnerability in Webmin 2.100

An issue was discovered in Webmin 2.100.

5.4
2023-09-15 CVE-2023-40986 Webmin Cross-site Scripting vulnerability in Webmin 2.100

A stored cross-site scripting (XSS) vulnerability in the Usermin Configuration function of Webmin v2.100 allows attackers to execute arbitrary web sripts or HTML via a crafted payload injected into the Custom field.

5.4
2023-09-15 CVE-2023-4977 Librenms Code Injection vulnerability in Librenms

Code Injection in GitHub repository librenms/librenms prior to 23.9.0.

5.4
2023-09-15 CVE-2023-4979 Librenms Cross-site Scripting vulnerability in Librenms

Cross-site Scripting (XSS) - Reflected in GitHub repository librenms/librenms prior to 23.9.0.

5.4
2023-09-15 CVE-2023-4980 Librenms Cross-site Scripting vulnerability in Librenms

Cross-site Scripting (XSS) - Generic in GitHub repository librenms/librenms prior to 23.9.0.

5.4
2023-09-15 CVE-2023-4981 Librenms Cross-site Scripting vulnerability in Librenms

Cross-site Scripting (XSS) - DOM in GitHub repository librenms/librenms prior to 23.9.0.

5.4
2023-09-15 CVE-2023-4982 Librenms Cross-site Scripting vulnerability in Librenms

Cross-site Scripting (XSS) - Stored in GitHub repository librenms/librenms prior to 23.9.0.

5.4
2023-09-14 CVE-2023-41592 Froala Cross-site Scripting vulnerability in Froala Editor

Froala Editor v4.0.1 to v4.1.1 was discovered to contain a cross-site scripting (XSS) vulnerability.

5.4
2023-09-14 CVE-2023-41156 Webmin Cross-site Scripting vulnerability in Webmin Usermin 2.001

A Stored Cross-Site Scripting (XSS) vulnerability in the filter and forward mail tab in Usermin 2.001 allows remote attackers to inject arbitrary web script or HTML via the save to new folder named field while creating a new filter.

5.4
2023-09-14 CVE-2023-41159 Webmin Cross-site Scripting vulnerability in Webmin Usermin 2.000

A Stored Cross-Site Scripting (XSS) vulnerability while editing the autoreply file page in Usermin 2.000 allows remote attackers to inject arbitrary web script or HTML by editing the forward file manually.

5.4
2023-09-14 CVE-2023-41160 Webmin Cross-site Scripting vulnerability in Webmin Usermin 2.001

A Stored Cross-Site Scripting (XSS) vulnerability in the SSH configuration tab in Usermin 2.001 allows remote attackers to inject arbitrary web script or HTML via the key name field while adding an authorized key.

5.4
2023-09-14 CVE-2023-42362 Teller Cross-site Scripting vulnerability in Teller 4.4.0

An arbitrary file upload vulnerability in Teller Web App v.4.4.0 allows a remote attacker to execute arbitrary commands and obtain sensitive information via uploading a crafted file.

5.4
2023-09-14 CVE-2023-4841 Smashballoon Unspecified vulnerability in Smashballoon Feeds for Youtube

The Feeds for YouTube for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'youtube-feed' shortcode in versions up to, and including, 2.1 due to insufficient input sanitization and output escaping on user supplied attributes.

5.4
2023-09-14 CVE-2023-4944 Awesome Weather Widget Project Unspecified vulnerability in Awesome Weather Widget Project Awesome Weather Widget

The Awesome Weather Widget for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'awesome-weather' shortcode in versions up to, and including, 3.0.2 due to insufficient input sanitization and output escaping on user supplied attributes.

5.4
2023-09-14 CVE-2023-4945 Booster Unspecified vulnerability in Booster for Woocommerce

The Booster for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple shortcodes in versions up to, and including, 7.1.0 due to insufficient input sanitization and output escaping on user supplied attributes.

5.4
2023-09-13 CVE-2023-41152 Webmin Cross-site Scripting vulnerability in Webmin Usermin 2.000

A Stored Cross-Site Scripting (XSS) vulnerability in the MIME type programs tab in Usermin 2.000 allows remote attackers to inject arbitrary web script or HTML via the handle program field while creating a new MIME type program.

5.4
2023-09-13 CVE-2023-41154 Webmin Cross-site Scripting vulnerability in Webmin Usermin 2.000

A Stored Cross-Site Scripting (XSS) vulnerability in the scheduled cron jobs tab in Usermin 2.000 allows remote attackers to inject arbitrary web script or HTML via the value field parameter while creating a new environment variable.

5.4
2023-09-13 CVE-2023-41155 Webmin Cross-site Scripting vulnerability in Webmin Usermin and Webmin

A Stored Cross-Site Scripting (XSS) vulnerability in the mail forwarding and replies tab in Webmin and Usermin 2.000 allows remote attackers to inject arbitrary web script or HTML via the forward to field while creating a mail forwarding rule.

5.4
2023-09-13 CVE-2023-41158 Webmin Cross-site Scripting vulnerability in Webmin Usermin 2.000

A Stored Cross-Site Scripting (XSS) vulnerability in the MIME type programs tab in Usermin 2.000 allows remote attackers to inject arbitrary web script or HTML via the description field while creating a new MIME type program.

5.4
2023-09-13 CVE-2023-3588 3DS Cross-site Scripting vulnerability in 3DS Teamwork Cloud NO Magic Release 2021X/2022X

A stored Cross-site Scripting (XSS) vulnerability affecting Teamwork Cloud from No Magic Release 2021x through No Magic Release 2022x allows an attacker to execute arbitrary script code.

5.4
2023-09-13 CVE-2023-38214 Adobe Cross-site Scripting vulnerability in Adobe Experience Manager

Adobe Experience Manager versions 6.5.17 and earlier are affected by a reflected Cross-Site Scripting (XSS) vulnerability.

5.4
2023-09-13 CVE-2023-38215 Adobe Cross-site Scripting vulnerability in Adobe Experience Manager

Adobe Experience Manager versions 6.5.17 and earlier are affected by a reflected Cross-Site Scripting (XSS) vulnerability.

5.4
2023-09-13 CVE-2023-29183 Fortinet Cross-site Scripting vulnerability in Fortinet Fortios and Fortiproxy

An improper neutralization of input during web page generation ('Cross-site Scripting') vulnerability [CWE-79] in FortiProxy 7.2.0 through 7.2.4, 7.0.0 through 7.0.10 and FortiOS 7.2.0 through 7.2.4, 7.0.0 through 7.0.11, 6.4.0 through 6.4.12, 6.2.0 through 6.2.14 GUI may allow an authenticated attacker to trigger malicious JavaScript code execution via crafted guest management setting.

5.4
2023-09-12 CVE-2023-41423 Terryl Cross-site Scripting vulnerability in Terryl WP Githuber MD 1.16.2

Cross Site Scripting vulnerability in WP Githuber MD plugin v.1.16.2 allows a remote attacker to execute arbitrary code via a crafted payload to the new article function.

5.4
2023-09-12 CVE-2023-21523 Blackberry Cross-site Scripting vulnerability in Blackberry Athoc 7.15

A Stored Cross-site Scripting (XSS) vulnerability in the Management Console (User Management and Alerts) of BlackBerry AtHoc version 7.15 could allow an attacker to execute script commands in the context of the affected user account.

5.4
2023-09-12 CVE-2023-30962 Palantir Cross-site Scripting vulnerability in Palantir Gotham Cerberus

The Gotham Cerberus service was found to have a stored cross-site scripting (XSS) vulnerability that could have allowed an attacker with access to Gotham to launch attacks against other users.

5.4
2023-09-12 CVE-2023-29463 Rockwellautomation Improper Authentication vulnerability in Rockwellautomation Pavilion8

The JMX Console within the Rockwell Automation Pavilion8 is exposed to application users and does not require authentication.

5.4
2023-09-12 CVE-2023-36800 Microsoft Cross-site Scripting vulnerability in Microsoft Dynamics 365

Dynamics Finance and Operations Cross-site Scripting Vulnerability

5.4
2023-09-12 CVE-2023-36886 Microsoft Cross-site Scripting vulnerability in Microsoft Dynamics 365

Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability

5.4
2023-09-12 CVE-2023-38164 Microsoft Cross-site Scripting vulnerability in Microsoft Dynamics 365

Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability

5.4
2023-09-12 CVE-2023-0119 Redhat Cross-site Scripting vulnerability in Redhat Satellite 6.13

A stored Cross-site scripting vulnerability was found in foreman.

5.4
2023-09-12 CVE-2023-37875 Wftpserver Improper Encoding or Escaping of Output vulnerability in Wftpserver Wing FTP Server

Improper encoding or escaping of output in Wing FTP Server (User Web Client) allows Cross-Site Scripting (XSS).This issue affects Wing FTP Server: <= 7.2.0.

5.4
2023-09-12 CVE-2023-40624 SAP Cross-site Scripting vulnerability in SAP Netweaver Application Server Abap

SAP NetWeaver AS ABAP (applications based on Unified Rendering) - versions SAP_UI 754, SAP_UI 755, SAP_UI 756, SAP_UI 757, SAP_UI 758, SAP_BASIS 702, SAP_BASIS 731, allows an attacker to inject JavaScript code that can be executed in the web-application.

5.4
2023-09-12 CVE-2023-40625 SAP Missing Authorization vulnerability in SAP S4Core

S4CORE (Manage Purchase Contracts App) - versions 102, 103, 104, 105, 106, 107, does not perform necessary authorization checks for an authenticated user.

5.4
2023-09-12 CVE-2023-4840 Mappresspro Unspecified vulnerability in Mappresspro Mappress Maps for Wordpress

The MapPress Maps for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'mappress' shortcode in versions up to, and including, 2.88.4 due to insufficient input sanitization and output escaping on user supplied attributes.

5.4
2023-09-12 CVE-2023-4887 Themeisle Unspecified vulnerability in Themeisle Google Maps Plugin BY Intergeo 2.3.2

The Google Maps Plugin by Intergeo for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'intergeo' shortcode in versions up to, and including, 2.3.2 due to insufficient input sanitization and output escaping on user supplied attributes.

5.4
2023-09-12 CVE-2023-4890 Designchemical Unspecified vulnerability in Designchemical Jquery Accordion Menu Widget 3.1.2

The JQuery Accordion Menu Widget for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'dcwp-jquery-accordion' shortcode in versions up to, and including, 3.1.2 due to insufficient input sanitization and output escaping on user supplied attributes.

5.4
2023-09-12 CVE-2023-4893 Aramk Unspecified vulnerability in Aramk Crayon-Syntax-Highlighter

The Crayon Syntax Highlighter plugin for WordPress is vulnerable to Server Side Request Forgery via the 'crayon' shortcode in versions up to, and including, 2.8.4.

5.4
2023-09-11 CVE-2023-3510 Danialhatami Unspecified vulnerability in Danialhatami FTP Access 1.0

The FTP Access WordPress plugin through 1.0 does not have authorisation and CSRF checks when updating its settings and is missing sanitisation as well as escaping in them, allowing any authenticated users, such as subscriber to update them with XSS payloads, which will be triggered when an admin will view the settings of the plugin.

5.4
2023-09-11 CVE-2023-41103 Interactsoftware Cross-site Scripting vulnerability in Interactsoftware Interact 7.9.79.5

Interact 7.9.79.5 allows stored Cross-site Scripting (XSS) attacks in several locations, allowing an attacker to store a JavaScript payload.

5.4
2023-09-11 CVE-2023-41593 Phpgurukul Cross-site Scripting vulnerability in PHPgurukul Dairy Farm Shop Management System 1.1

Multiple cross-site scripting (XSS) vulnerabilities in Dairy Farm Shop Management System Using PHP and MySQL v1.1 allow attackers to execute arbitrary web scripts and HTML via a crafted payload injected into the Category and Category Field parameters.

5.4
2023-09-11 CVE-2023-40786 Hkcms Cross-site Scripting vulnerability in Hkcms 2.3.0.230709

HKcms v2.3.0.230709 is vulnerable to Cross Site Scripting (XSS) allowing administrator cookies to be stolen.

5.4
2023-09-15 CVE-2023-41889 SS Proj Improper Encoding or Escaping of Output vulnerability in Ss-Proj Shirasagi

SHIRASAGI is a Content Management System.

5.3
2023-09-15 CVE-2023-42442 Fit2Cloud Improper Authentication vulnerability in Fit2Cloud Jumpserver

JumpServer is an open source bastion host and a professional operation and maintenance security audit system.

5.3
2023-09-15 CVE-2023-37281 Contiki NG Out-of-bounds Read vulnerability in Contiki-Ng

Contiki-NG is an operating system for internet-of-things devices.

5.3
2023-09-15 CVE-2023-37459 Contiki NG Out-of-bounds Read vulnerability in Contiki-Ng

Contiki-NG is an operating system for internet-of-things devices.

5.3
2023-09-15 CVE-2023-40167 Eclipse
Debian
Improper Handling of Length Parameter Inconsistency vulnerability in multiple products

Jetty is a Java based web server and servlet engine.

5.3
2023-09-15 CVE-2023-41880 Bytecodealliance Off-by-one Error vulnerability in Bytecodealliance Wasmtime

Wasmtime is a standalone runtime for WebAssembly.

5.3
2023-09-15 CVE-2022-3466 Kubernetes
Redhat
Incorrect Default Permissions vulnerability in multiple products

The version of cri-o as released for Red Hat OpenShift Container Platform 4.9.48, 4.10.31, and 4.11.6 via RHBA-2022:6316, RHBA-2022:6257, and RHBA-2022:6658, respectively, included an incorrect version of cri-o missing the fix for CVE-2022-27652, which was previously fixed in OCP 4.9.41 and 4.10.12 via RHBA-2022:5433 and RHSA-2022:1600.

5.3
2023-09-14 CVE-2023-38206 Adobe Unspecified vulnerability in Adobe Coldfusion 2018/2021/2023

Adobe ColdFusion versions 2018u18 (and earlier), 2021u8 (and earlier) and 2023u2 (and earlier) are affected by an Improper Access Control vulnerability that could result in a Security feature bypass.

5.3
2023-09-13 CVE-2023-42468 Azmobileapps Unspecified vulnerability in Azmobileapps Color Phone

The com.cutestudio.colordialer application through 2.1.8-2 for Android allows a remote attacker to initiate phone calls without user consent, because of improper export of the com.cutestudio.dialer.activities.DialerActivity component.

5.3
2023-09-13 CVE-2023-20190 Cisco Incorrect Authorization vulnerability in Cisco IOS XR

A vulnerability in the classic access control list (ACL) compression feature of Cisco IOS XR Software could allow an unauthenticated, remote attacker to bypass the protection that is offered by a configured ACL on an affected device. This vulnerability is due to incorrect destination address range encoding in the compression module of an ACL that is applied to an interface of an affected device.

5.3
2023-09-13 CVE-2021-44172 Fortinet Information Exposure vulnerability in Fortinet Forticlient Endpoint Management Server

An exposure of sensitive information to an unauthorized actor vulnerability [CWE-200] in FortiClientEMS versions 7.0.0 through 7.0.4, 7.0.6 through 7.0.7, in all 6.4 and 6.2 version management interface may allow an unauthenticated attacker to gain information on environment variables such as the EMS installation path.

5.3
2023-09-13 CVE-2023-27998 Fortinet Improper Handling of Exceptional Conditions vulnerability in Fortinet Fortipresence

A lack of custom error pages vulnerability [CWE-756] in FortiPresence versions 1.2.0 through 1.2.1 and all versions of 1.1 and 1.0 may allow an unauthenticated attacker with the ability to navigate to the login GUI to gain sensitive information via navigating to specific HTTP(s) paths.

5.3
2023-09-13 CVE-2023-36551 Fortinet Unspecified vulnerability in Fortinet Fortisiem

A exposure of sensitive information to an unauthorized actor in Fortinet FortiSIEM version 6.7.0 through 6.7.5 allows attacker to information disclosure via a crafted http request.

5.3
2023-09-13 CVE-2023-4915 Palmspark Unspecified vulnerability in Palmspark WP User Control

The WP User Control plugin for WordPress is vulnerable to unauthorized password resets in versions up to, and including 1.5.3.

5.3
2023-09-12 CVE-2023-41885 Piccolo ORM Information Exposure Through Discrepancy vulnerability in Piccolo-Orm Piccolo

Piccolo is an ORM and query builder which supports asyncio.

5.3
2023-09-12 CVE-2023-21520 Blackberry Unspecified vulnerability in Blackberry Athoc 7.15

A PII Enumeration via Credential Recovery in the Self Service (Credential Recovery) of BlackBerry AtHoc version 7.15 could allow an attacker to potentially associate a list of contact details with an AtHoc IWS organization.

5.3
2023-09-12 CVE-2023-36801 Microsoft Unspecified vulnerability in Microsoft products

DHCP Server Service Information Disclosure Vulnerability

5.3
2023-09-12 CVE-2023-38152 Microsoft Exposure of Resource to Wrong Sphere vulnerability in Microsoft products

DHCP Server Service Information Disclosure Vulnerability

5.3
2023-09-12 CVE-2023-32005 Nodejs Incorrect Permission Assignment for Critical Resource vulnerability in Nodejs Node.Js

A vulnerability has been identified in Node.js version 20, affecting users of the experimental permission model when the --allow-fs-read flag is used with a non-* argument. This flaw arises from an inadequate permission model that fails to restrict file stats through the `fs.statfs` API.

5.3
2023-09-12 CVE-2023-37489 SAP Information Exposure Through an Error Message vulnerability in SAP Businessobjects Business Intelligence 430

Due to the lack of validation, SAP BusinessObjects Business Intelligence Platform (Version Management System) - version 403, permits an unauthenticated user to read the code snippet through the UI, which leads to low impact on confidentiality and no impact on the application's availability or integrity.

5.3
2023-09-12 CVE-2023-41367 SAP Missing Authentication for Critical Function vulnerability in SAP Netweaver 7.50

Due to missing authentication check in webdynpro application, an unauthorized user in SAP NetWeaver (Guided Procedures) - version 7.50, can gain access to admin view of specific function anonymously.

5.3
2023-09-12 CVE-2023-41368 SAP Authorization Bypass Through User-Controlled Key vulnerability in SAP S/4 Hana

The OData service of the S4 HANA (Manage checkbook apps) - versions 102, 103, 104, 105, 106, 107, allows an attacker to change the checkbook name by simulating an update OData call.

5.3
2023-09-11 CVE-2023-36980 Ethereum Unspecified vulnerability in Ethereum Blockchain 0.1.1+Commit.6Ff4Cd6

An issue in Ethereum Blockchain v0.1.1+commit.6ff4cd6 cause the balance to be zeroed out when the value of betsize+casino.balance exceeds the threshold.

5.3
2023-09-11 CVE-2023-40040 Mycrops Missing Authorization vulnerability in Mycrops Higrade 1.0.337

An issue was discovered in the MyCrops HiGrade "THC Testing & Cannabi" application 1.0.337 for Android.

5.3
2023-09-14 CVE-2023-26141 Contribsys Insufficient Verification of Data Authenticity vulnerability in Contribsys Sidekiq

Versions of the package sidekiq before 7.1.3 are vulnerable to Denial of Service (DoS) due to insufficient checks in the dashboard-charts.js file.

4.9
2023-09-17 CVE-2023-5024 Planno Cross-site Scripting vulnerability in Planno Planning Biblio 23.04.04

A vulnerability was found in Planno 23.04.04.

4.8
2023-09-15 CVE-2023-41626 Gradio Project Unrestricted Upload of File with Dangerous Type vulnerability in Gradio Project Gradio 3.27.0

Gradio v3.27.0 was discovered to contain an arbitrary file upload vulnerability via the /upload interface.

4.8
2023-09-14 CVE-2023-4965 Phpipam Open Redirect vulnerability in PHPipam 1.5.1

A vulnerability was found in phpipam 1.5.1.

4.8
2023-09-14 CVE-2023-4951 Greenrocketsecurity Cross-site Scripting vulnerability in Greenrocketsecurity Greenradius

A cross site scripting issue was discovered with the pagination function on the "Client-based Authentication Policy Configuration" screen of the GreenRADIUS web admin interface. This issue is found in GreenRADIUS v5.1.1.1 and prior.

4.8
2023-09-13 CVE-2023-4802 Proofpoint Cross-site Scripting vulnerability in Proofpoint Insider Threat Management

A reflected cross-site scripting vulnerability in the UpdateInstalledSoftware endpoint of the Insider Threat Management (ITM) Server's web console could be used by an authenticated administrator to run arbitrary javascript within another web console administrator's browser.

4.8
2023-09-13 CVE-2023-4803 Proofpoint Cross-site Scripting vulnerability in Proofpoint Insider Threat Management

A reflected cross-site scripting vulnerability in the WriteWindowTitle endpoint of the Insider Threat Management (ITM) Server's web console could be used by an authenticated administrator to run arbitrary javascript within another web console administrator's browser.

4.8
2023-09-13 CVE-2023-4039 GNU Unspecified vulnerability in GNU GCC

**DISPUTED**A failure in the -fstack-protector feature in GCC-based toolchains that target AArch64 allows an attacker to exploit an existing buffer overflow in dynamically-sized local variables in your application without this being detected.

4.8
2023-09-11 CVE-2023-3170 Tagdiv Cross-site Scripting vulnerability in Tagdiv Composer

The tagDiv Composer WordPress plugin before 4.2, used as a companion by the Newspaper and Newsmag themes from tagDiv, does not validate and escape some settings, which could allow users with Admin privileges to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

4.8
2023-09-11 CVE-2023-4022 WOW Company Unspecified vulnerability in Wow-Company Herd Effects

The Herd Effects WordPress plugin before 5.2.3 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

4.8
2023-09-11 CVE-2023-4060 Wpadminify Unspecified vulnerability in Wpadminify WP Adminify

The WP Adminify WordPress plugin before 3.1.6 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

4.8
2023-09-11 CVE-2023-35845 Anaconda Improper Certificate Validation vulnerability in Anaconda Anaconda3 2023.031

Anaconda 3 2023.03-1-Linux allows local users to disrupt TLS certificate validation by modifying the cacert.pem file used by the installed pip program.

4.7
2023-09-17 CVE-2023-5028 Chinaunicom Information Exposure Through Log Files vulnerability in Chinaunicom Tewa-800G Firmware 4.16L.04Ct2015Yueme

A vulnerability, which was classified as problematic, has been found in China Unicom TEWA-800G 4.16L.04_CT2015_Yueme.

4.6
2023-09-12 CVE-2023-34469 AMI Unspecified vulnerability in AMI Aptio V

AMI AptioV contains a vulnerability in BIOS where an Attacker may use an improper access control via the physical network.

4.6
2023-09-12 CVE-2023-36736 Microsoft Unspecified vulnerability in Microsoft Identity Linux Broker

Microsoft Identity Linux Broker Remote Code Execution Vulnerability

4.4
2023-09-15 CVE-2023-41900 Eclipse
Debian
Improper Authentication vulnerability in multiple products

Jetty is a Java based web server and servlet engine.

4.3
2023-09-15 CVE-2023-36479 Eclipse
Debian
Improper Neutralization of Quoting Syntax vulnerability in multiple products

Eclipse Jetty Canonical Repository is the canonical repository for the Jetty project.

4.3
2023-09-15 CVE-2022-20917 Cisco Unspecified vulnerability in Cisco Jabber

A vulnerability in the Extensible Messaging and Presence Protocol (XMPP) message processing feature of Cisco Jabber could allow an authenticated, remote attacker to manipulate the content of XMPP messages that are used by the affected application. This vulnerability is due to the improper handling of nested XMPP messages within requests that are sent to the Cisco Jabber client software.

4.3
2023-09-14 CVE-2023-39285 Mitel Cross-Site Request Forgery (CSRF) vulnerability in Mitel Mivoice Connect

A vulnerability in the Edge Gateway component of Mitel MiVoice Connect through 19.3 SP3 (22.24.5800.0) could allow an unauthenticated attacker to perform a Cross Site Request Forgery (CSRF) attack due to insufficient request validation.

4.3
2023-09-14 CVE-2023-39286 Mitel Cross-Site Request Forgery (CSRF) vulnerability in Mitel Connect Mobility Router

A vulnerability in the Connect Mobility Router component of Mitel MiVoice Connect through 9.6.2304.102 could allow an unauthenticated attacker to perform a Cross Site Request Forgery (CSRF) attack due to insufficient request validation.

4.3
2023-09-14 CVE-2021-28485 Ericsson Path Traversal vulnerability in Ericsson Mobile Switching Center Server BC 18A Firmware Is3.1

In Ericsson Mobile Switching Center Server (MSC-S) before IS 3.1 CP22, the SIS web application allows relative path traversal via a specific parameter in the https request after authentication, which allows access to files on the system that are not intended to be accessible via the web application.

4.3
2023-09-14 CVE-2023-4948 Yanco Unspecified vulnerability in Yanco Woocommerce CVR Payment Gateway 6.1.0

The WooCommerce CVR Payment Gateway plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the refresh_order_cvr_data AJAX action in versions up to 6.1.0.

4.3
2023-09-13 CVE-2023-36638 Fortinet Unspecified vulnerability in Fortinet Fortianalyzer and Fortimanager

An improper privilege management vulnerability [CWE-269] in FortiManager 7.2.0 through 7.2.2, 7.0.0 through 7.0.7, 6.4.0 through 6.4.11, 6.2 all versions, 6.0 all versions and FortiAnalyzer 7.2.0 through 7.2.2, 7.0.0 through 7.0.7, 6.4.0 through 6.4.11, 6.2 all versions, 6.0 all versions API may allow a remote and authenticated API admin user to access some system settings such as the mail server settings through the API via a stolen GUI session ID.

4.3
2023-09-12 CVE-2023-4900 Google
Fedoraproject
Debian
Inappropriate implementation in Custom Tabs in Google Chrome on Android prior to 117.0.5938.62 allowed a remote attacker to obfuscate a permission prompt via a crafted HTML page.
4.3
2023-09-12 CVE-2023-4901 Google
Fedoraproject
Debian
Inappropriate implementation in Prompts in Google Chrome prior to 117.0.5938.62 allowed a remote attacker to potentially spoof security UI via a crafted HTML page.
4.3
2023-09-12 CVE-2023-4902 Google
Fedoraproject
Debian
Inappropriate implementation in Input in Google Chrome prior to 117.0.5938.62 allowed a remote attacker to spoof security UI via a crafted HTML page.
4.3
2023-09-12 CVE-2023-4903 Google
Fedoraproject
Debian
Inappropriate implementation in Custom Mobile Tabs in Google Chrome on Android prior to 117.0.5938.62 allowed a remote attacker to spoof security UI via a crafted HTML page.
4.3
2023-09-12 CVE-2023-4904 Google
Fedoraproject
Debian
Insufficient policy enforcement in Downloads in Google Chrome prior to 117.0.5938.62 allowed a remote attacker to bypass Enterprise policy restrictions via a crafted download.
4.3
2023-09-12 CVE-2023-4905 Google
Fedoraproject
Debian
Inappropriate implementation in Prompts in Google Chrome prior to 117.0.5938.62 allowed a remote attacker to spoof security UI via a crafted HTML page.
4.3
2023-09-12 CVE-2023-4906 Google
Fedoraproject
Debian
Insufficient policy enforcement in Autofill in Google Chrome prior to 117.0.5938.62 allowed a remote attacker to bypass Autofill restrictions via a crafted HTML page.
4.3
2023-09-12 CVE-2023-4907 Google
Fedoraproject
Debian
Inappropriate implementation in Intents in Google Chrome on Android prior to 117.0.5938.62 allowed a remote attacker to obfuscate security UI via a crafted HTML page.
4.3
2023-09-12 CVE-2023-4908 Google
Fedoraproject
Debian
Inappropriate implementation in Picture in Picture in Google Chrome prior to 117.0.5938.62 allowed a remote attacker to spoof security UI via a crafted HTML page.
4.3
2023-09-12 CVE-2023-4909 Google
Fedoraproject
Debian
Inappropriate implementation in Interstitials in Google Chrome prior to 117.0.5938.62 allowed a remote attacker to obfuscate security UI via a crafted HTML page.
4.3
2023-09-12 CVE-2023-36767 Microsoft Unspecified vulnerability in Microsoft products

Microsoft Office Security Feature Bypass Vulnerability

4.3
2023-09-12 CVE-2023-40611 Apache Incorrect Authorization vulnerability in Apache Airflow

Apache Airflow, versions before 2.7.1, is affected by a vulnerability that allows authenticated and DAG-view authorized Users to modify some DAG run detail values when submitting notes.

4.3
2023-09-12 CVE-2023-41369 SAP XXE vulnerability in SAP S/4 Hana

The Create Single Payment application of SAP S/4HANA - versions 100, 101, 102, 103, 104, 105, 106, 107, 108, allows an attacker to upload the XML file as an attachment. When clicked on the XML file in the attachment section, the file gets opened in the browser to cause the entity loops to slow down the browser.

4.3
2023-09-11 CVE-2023-4307 Teknigar Unspecified vulnerability in Teknigar Lock User Account

The Lock User Account WordPress plugin through 1.0.3 does not have CSRF check when bulk locking and unlocking accounts, which could allow attackers to make logged in admins lock and unlock arbitrary users via a CSRF attack

4.3
2023-09-11 CVE-2023-4318 WOW Company Unspecified vulnerability in Wow-Company Herd Effects

The Herd Effects WordPress plugin before 5.2.4 does not have CSRF when deleting its items, which could allow attackers to make logged in admins delete arbitrary effects via a CSRF attack

4.3
2023-09-11 CVE-2023-4630 Gitlab Unspecified vulnerability in Gitlab

An issue has been discovered in GitLab affecting all versions starting from 10.6 before 16.1.5, all versions starting from 16.2 before 16.2.5, all versions starting from 16.3 before 16.3.1 in which any user can read limited information about any project's imports.

4.3
2023-09-11 CVE-2023-4581 Mozilla Unspecified vulnerability in Mozilla Thunderbird

Excel `.xll` add-in files did not have a blocklist entry in Firefox's executable blocklist which allowed them to be downloaded without any warning of their potential harm.

4.3
2023-09-13 CVE-2023-4828 Proofpoint Improper Check for Unusual or Exceptional Conditions vulnerability in Proofpoint Insider Threat Management

An improper check for an exceptional condition in the Insider Threat Management (ITM) Server could be used by an attacker to change the server's configuration of any already-registered agent so that the agent sends all future communications to an attacker-chosen URL.

4.2
2023-09-12 CVE-2023-40725 Siemens Information Exposure Through an Error Message vulnerability in Siemens QMS Automotive 12.30

A vulnerability has been identified in QMS Automotive (All versions < V12.39).

4.0

7 Low Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2023-09-12 CVE-2023-40732 Siemens Insufficient Session Expiration vulnerability in Siemens QMS Automotive 12.30

A vulnerability has been identified in QMS Automotive (All versions < V12.39).

3.9
2023-09-13 CVE-2023-42469 Fulldive Missing Authorization vulnerability in Fulldive Full Dialer 1.0.1

The com.full.dialer.top.secure.encrypted application through 1.0.1 for Android enables any installed application (with no permissions) to place phone calls without user interaction by sending a crafted intent via the com.full.dialer.top.secure.encrypted.activities.DialerActivity component.

3.3
2023-09-12 CVE-2023-40218 Samsung Integer Overflow or Wraparound vulnerability in Samsung products

An issue was discovered in the NPU kernel driver in Samsung Exynos Mobile Processor 9820, 980, 2100, 2200, 1280, and 1380.

3.3
2023-09-12 CVE-2023-40442 Apple Information Exposure Through Log Files vulnerability in Apple Ipados and Iphone OS

A privacy issue was addressed with improved private data redaction for log entries.

3.3
2023-09-11 CVE-2023-4579 Mozilla Unspecified vulnerability in Mozilla Firefox

Search queries in the default search engine could appear to have been the currently navigated URL if the search query itself was a well formed URL.

3.1
2023-09-15 CVE-2023-37263 Strapi Unspecified vulnerability in Strapi

Strapi is the an open-source headless content management system.

2.7
2023-09-15 CVE-2023-4986 Supcon Use of Password Hash With Insufficient Computational Effort vulnerability in Supcon Inplant Scada 20230901

A vulnerability classified as problematic was found in Supcon InPlant SCADA up to 20230901.

2.5