Weekly Vulnerabilities Reports > November 27 to December 3, 2023

Overview

504 new vulnerabilities reported during this period, including 95 critical vulnerabilities and 183 high severity vulnerabilities. This weekly summary report vulnerabilities in 376 products from 255 vendors including Zyxel, Apache, Tenda, Totolink, and Bigprof. Vulnerabilities are notably categorized as "Cross-site Scripting", "SQL Injection", "Cross-Site Request Forgery (CSRF)", "OS Command Injection", and "Out-of-bounds Write".

  • 453 reported vulnerabilities are remotely exploitables.
  • 233 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
  • 331 reported vulnerabilities are exploitable by an anonymous user.
  • Zyxel has the most reported vulnerabilities, with 15 reported vulnerabilities.
  • Totolink has the most reported critical vulnerabilities, with 14 reported vulnerabilities.

TOTAL
VULNERABILITIES
CRITICAL RISK
VULNERABILITIES
HIGH RISK
VULNERABILITIES
MEDIUM RISK
VULNERABILITIES
LOW RISK
VULNERABILITIES
REMOTELY
EXPLOITABLE
LOCALLY
EXPLOITABLE
EXPLOIT
AVAILABLE
EXPLOITABLE
ANONYMOUSLY
AFFECTING
WEB APPLICATION

Vulnerability Details

The following table list reported vulnerabilities for the period covered by this report:

Expand/Hide

95 Critical Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2023-12-03 CVE-2020-36768 Reiner Lemoine Institut SQL Injection vulnerability in Reiner-Lemoine-Institut Nesp2 1.0

A vulnerability was found in rl-institut NESP2 Initial Release/1.0.

9.8
2023-12-02 CVE-2023-47100 Perl Improper Handling of Exceptional Conditions vulnerability in Perl

In Perl before 5.38.2, S_parse_uniprop_string in regcomp.c can write to unallocated space because a property name associated with a \p{...} regular expression construct is mishandled.

9.8
2023-12-02 CVE-2023-6464 Remyandrade SQL Injection vulnerability in Remyandrade User Registration and Login System 1.0

A vulnerability was found in SourceCodester User Registration and Login System 1.0 and classified as critical.

9.8
2023-12-01 CVE-2023-48801 Totolink Command Injection vulnerability in Totolink X6000R Firmware 9.4.0Cu.852B20230719

In TOTOLINK X6000R_Firmware V9.4.0cu.852_B20230719, the shttpd file sub_415534 function obtains fields from the front-end, connects them through the snprintf function, and passes them to the CsteSystem function, resulting in a command execution vulnerability.

9.8
2023-12-01 CVE-2023-48886 Luxiaoxun Deserialization of Untrusted Data vulnerability in Luxiaoxun Nettyrpc 1.2

A deserialization vulnerability in NettyRpc v1.2 allows attackers to execute arbitrary commands via sending a crafted RPC request.

9.8
2023-12-01 CVE-2023-48887 Fengjiachun Deserialization of Untrusted Data vulnerability in Fengjiachun Jupiter 1.3.1

A deserialization vulnerability in Jupiter v1.3.1 allows attackers to execute arbitrary commands via sending a crafted RPC request.

9.8
2023-12-01 CVE-2023-48842 Dlink Command Injection vulnerability in Dlink Go-Rt-Ac750 Firmware 101B03

D-Link Go-RT-AC750 revA_v101b03 was discovered to contain a command injection vulnerability via the service parameter at hedwig.cgi.

9.8
2023-12-01 CVE-2023-49371 Ruoyi SQL Injection vulnerability in Ruoyi

RuoYi up to v4.6 was discovered to contain a SQL injection vulnerability via /system/dept/edit.

9.8
2023-12-01 CVE-2023-5634 Arslansoft Education Portal Project SQL Injection vulnerability in Arslansoft Education Portal Project Arslansoft Education Portal

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in ArslanSoft Education Portal allows SQL Injection.This issue affects Education Portal: before v1.1.

9.8
2023-12-01 CVE-2023-5636 Arslansoft Education Portal Project Unrestricted Upload of File with Dangerous Type vulnerability in Arslansoft Education Portal Project Arslansoft Education Portal

Unrestricted Upload of File with Dangerous Type vulnerability in ArslanSoft Education Portal allows Command Injection.This issue affects Education Portal: before v1.1.

9.8
2023-12-01 CVE-2023-43453 Totolink Command Injection vulnerability in Totolink X6000R Firmware 9.4.0Cu.652B20230116/9.4.0Cu.852B20230719

An issue in TOTOLINK X6000R V9.4.0cu.652_B20230116 and V9.4.0cu.852_B20230719 allows a remote attacker to execute arbitrary code via the IP parameter of the setDiagnosisCfg component.

9.8
2023-12-01 CVE-2023-43454 Totolink Command Injection vulnerability in Totolink X6000R Firmware 9.4.0Cu.652B20230116/9.4.0Cu.852B20230719

An issue in TOTOLINK X6000R V9.4.0cu.652_B20230116 and V9.4.0cu.852_B20230719 allows a remote attacker to execute arbitrary code via the hostName parameter of the switchOpMode component.

9.8
2023-12-01 CVE-2023-43455 Totolink Command Injection vulnerability in Totolink X6000R Firmware 9.4.0Cu.652B20230116/9.4.0Cu.852B20230719

An issue in TOTOLINK X6000R V9.4.0cu.652_B20230116 and V9.4.0cu.852_B20230719 allows a remote attacker to execute arbitrary code via the command parameter of the setting/setTracerouteCfg component.

9.8
2023-11-30 CVE-2023-39226 Deltaww Unspecified vulnerability in Deltaww Infrasuite Device Master 1.0.7

In Delta Electronics InfraSuite Device Master v.1.0.7, a vulnerability exists that allows an unauthenticated attacker to execute arbitrary code through a single UDP packet.

9.8
2023-11-30 CVE-2023-47207 Deltaww Deserialization of Untrusted Data vulnerability in Deltaww Infrasuite Device Master 1.0.7

In Delta Electronics InfraSuite Device Master v.1.0.7, a vulnerability exists that allows an unauthenticated attacker to execute code with local administrator privileges.

9.8
2023-11-30 CVE-2023-48802 Totolink OS Command Injection vulnerability in Totolink X6000R Firmware 9.4.0Cu.852B20230719

In TOTOLINK X6000R V9.4.0cu.852_B20230719, the shttpd file, sub_4119A0 function obtains fields from the front-end through Uci_ Set_ The Str function when passed to the CsteSystem function creates a command execution vulnerability.

9.8
2023-11-30 CVE-2023-48803 Totolink OS Command Injection vulnerability in Totolink X6000R Firmware 9.4.0Cu.852B20230719

In TOTOLINK X6000R V9.4.0cu.852_B20230719, the shttpd file, sub_4119A0 function obtains fields from the front-end through Uci_ Set_ The Str function when passed to the CsteSystem function creates a command execution vulnerability.

9.8
2023-11-30 CVE-2023-48804 Totolink OS Command Injection vulnerability in Totolink X6000R Firmware 9.4.0Cu.852B20230719

In TOTOLINK X6000R V9.4.0cu.852_B20230719, the shttpd file, sub_4119A0 function obtains fields from the front-end through Uci_ Set_ The Str function when passed to the CsteSystem function creates a command execution vulnerability.

9.8
2023-11-30 CVE-2023-48805 Totolink OS Command Injection vulnerability in Totolink X6000R Firmware 9.4.0Cu.852B20230719

In TOTOLINK X6000R V9.4.0cu.852_B20230719, the shttpd file, sub_4119A0 function obtains fields from the front-end through Uci_ Set_ The Str function when passed to the CsteSystem function creates a command execution vulnerability.

9.8
2023-11-30 CVE-2023-48806 Totolink OS Command Injection vulnerability in Totolink X6000R Firmware 9.4.0Cu.852B20230719

In TOTOLINK X6000R V9.4.0cu.852_B20230719, the shttpd file, sub_4119A0 function obtains fields from the front-end through Uci_ Set_ The Str function when passed to the CsteSystem function creates a command execution vulnerability.

9.8
2023-11-30 CVE-2023-48807 Totolink OS Command Injection vulnerability in Totolink X6000R Firmware 9.4.0Cu.852B20230719

In TOTOLINK X6000R V9.4.0cu.852_B20230719, the shttpd file, sub_4119A0 function obtains fields from the front-end through Uci_ Set_ The Str function when passed to the CsteSystem function creates a command execution vulnerability.

9.8
2023-11-30 CVE-2023-48808 Totolink OS Command Injection vulnerability in Totolink X6000R Firmware 9.4.0Cu.852B20230719

In TOTOLINK X6000R V9.4.0cu.852_B20230719, the shttpd file, sub_4119A0 function obtains fields from the front-end through Uci_ Set_ The Str function when passed to the CsteSystem function creates a command execution vulnerability.

9.8
2023-11-30 CVE-2023-48810 Totolink OS Command Injection vulnerability in Totolink X6000R Firmware 9.4.0Cu.852B20230719

In TOTOLINK X6000R V9.4.0cu.852_B20230719, the shttpd file, sub_4119A0 function obtains fields from the front-end through Uci_ Set_ The Str function when passed to the CsteSystem function creates a command execution vulnerability.

9.8
2023-11-30 CVE-2023-48811 Totolink OS Command Injection vulnerability in Totolink X6000R Firmware 9.4.0Cu.852B20230719

In TOTOLINK X6000R V9.4.0cu.852_B20230719, the shttpd file, sub_4119A0 function obtains fields from the front-end through Uci_ Set_ The Str function that when passed to the CsteSystem function creates a command execution vulnerability.

9.8
2023-11-30 CVE-2023-48812 Totolink OS Command Injection vulnerability in Totolink X6000R Firmware 9.4.0Cu.852B20230719

In TOTOLINK X6000R V9.4.0cu.852_B20230719, the shttpd file sub_4119A0 function obtains fields from the front-end through Uci_ Set_ The Str function that when passed to the CsteSystem function creates a command execution vulnerability.

9.8
2023-11-30 CVE-2023-6342 Tylertech Improper Authentication vulnerability in Tylertech Court Case Management Plus

Tyler Technologies Court Case Management Plus allows a remote attacker to authenticate as any user by manipulating at least the 'CmWebSearchPfp/Login.aspx?xyzldk=' and 'payforprint_CM/Redirector.ashx?userid=' parameters.

9.8
2023-11-30 CVE-2023-31176 Selinc Insufficient Entropy vulnerability in Selinc Sel-451 Firmware

An Insufficient Entropy vulnerability in the Schweitzer Engineering Laboratories SEL-451 could allow an unauthenticated remote attacker to brute-force session tokens and bypass authentication.  See product Instruction Manual Appendix A dated 20230830 for more details.

9.8
2023-11-30 CVE-2023-34388 Selinc Improper Authentication vulnerability in Selinc Sel-451 Firmware

An Improper Authentication vulnerability in the Schweitzer Engineering Laboratories SEL-451 could allow a remote unauthenticated attacker to potentially perform session hijacking attack and bypass authentication. See product Instruction Manual Appendix A dated 20230830 for more details.

9.8
2023-11-30 CVE-2023-6360 Joedolson SQL Injection vulnerability in Joedolson MY Calendar

The 'My Calendar' WordPress Plugin, version < 3.4.22 is affected by an unauthenticated SQL injection vulnerability in the 'from' and 'to' parameters in the '/my-calendar/v1/events' rest route.

9.8
2023-11-30 CVE-2023-49733 Apache XXE vulnerability in Apache Cocoon 2.2.0

Improper Restriction of XML External Entity Reference vulnerability in Apache Cocoon.This issue affects Apache Cocoon: from 2.2.0 before 2.3.0. Users are recommended to upgrade to version 2.3.0, which fixes the issue.

9.8
2023-11-30 CVE-2022-45135 Apache SQL Injection vulnerability in Apache Cocoon 2.2.0

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Apache Cocoon.This issue affects Apache Cocoon: from 2.2.0 before 2.3.0. Users are recommended to upgrade to version 2.3.0, which fixes the issue.

9.8
2023-11-30 CVE-2023-49701 Asrmicro Out-of-bounds Write vulnerability in Asrmicro Asr1803 Firmware and Asr1806 Firmware

Memory Corruption in SIM management while USIMPhase2init

9.8
2023-11-30 CVE-2023-47418 Zoneland Unspecified vulnerability in Zoneland O2Oa

Remote Code Execution (RCE) vulnerability in o2oa version 8.1.2 and before, allows attackers to create a new interface in the service management function to execute JavaScript.

9.8
2023-11-30 CVE-2023-47463 GL Inet Improper Preservation of Permissions vulnerability in Gl-Inet Gl-Ax1800 Firmware

Insecure Permissions vulnerability in GL.iNet AX1800 version 4.0.0 before 4.5.0 allows a remote attacker to execute arbitrary code via a crafted script to the gl_nas_sys authentication function.

9.8
2023-11-30 CVE-2023-35138 Zyxel OS Command Injection vulnerability in Zyxel Nas326 Firmware and Nas542 Firmware

A command injection vulnerability in the “show_zysync_server_contents” function of the Zyxel NAS326 firmware version V5.21(AAZF.14)C0 and NAS542 firmware version V5.21(ABAG.11)C0 could allow an unauthenticated attacker to execute some operating system (OS) commands by sending a crafted HTTP POST request.

9.8
2023-11-30 CVE-2023-4473 Zyxel OS Command Injection vulnerability in Zyxel Nas326 Firmware and Nas542 Firmware

A command injection vulnerability in the web server of the Zyxel NAS326 firmware version V5.21(AAZF.14)C0 and NAS542 firmware version V5.21(ABAG.11)C0 could allow an unauthenticated attacker to execute some operating system (OS) commands by sending a crafted URL to a vulnerable device.

9.8
2023-11-30 CVE-2023-4474 Zyxel OS Command Injection vulnerability in Zyxel Nas326 Firmware and Nas542 Firmware

The improper neutralization of special elements in the WSGI server of the Zyxel NAS326 firmware version V5.21(AAZF.14)C0 and NAS542 firmware version V5.21(ABAG.11)C0 could allow an unauthenticated attacker to execute some operating system (OS) commands by sending a crafted URL to a vulnerable device.

9.8
2023-11-30 CVE-2023-3741 NEC OS Command Injection vulnerability in NEC products

An OS Command injection vulnerability in NEC Platforms DT900 and DT900S Series all versions allows an attacker to execute any command on the device.

9.8
2023-11-29 CVE-2023-49693 Netgear Missing Authentication for Critical Function vulnerability in Netgear Prosafe Network Management System

NETGEAR ProSAFE Network Management System has Java Debug Wire Protocol (JDWP) listening on port 11611 and it is remotely accessible by unauthenticated users, allowing attackers to execute arbitrary code.

9.8
2023-11-29 CVE-2022-42536 Google Unspecified vulnerability in Google Android

Remote code execution

9.8
2023-11-29 CVE-2022-42537 Google Unspecified vulnerability in Google Android

Remote code execution

9.8
2023-11-29 CVE-2022-42538 Google Unspecified vulnerability in Google Android

Elevation of privilege

9.8
2023-11-29 CVE-2022-42540 Google Unspecified vulnerability in Google Android

Elevation of privilege

9.8
2023-11-29 CVE-2022-42541 Google Unspecified vulnerability in Google Android

Remote code execution

9.8
2023-11-29 CVE-2023-49091 Cosmos Cloud Insufficient Session Expiration vulnerability in Cosmos-Cloud Cosmos Server

Cosmos provides users the ability self-host a home server by acting as a secure gateway to your application, as well as a server manager.

9.8
2023-11-29 CVE-2023-49654 Jenkins Missing Authorization vulnerability in Jenkins Matlab

Missing permission checks in Jenkins MATLAB Plugin 2.11.0 and earlier allow attackers to have Jenkins parse an XML file from the Jenkins controller file system.

9.8
2023-11-29 CVE-2023-49656 Jenkins XXE vulnerability in Jenkins Matlab

Jenkins MATLAB Plugin 2.11.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

9.8
2023-11-29 CVE-2023-45479 Tenda Out-of-bounds Write vulnerability in Tenda Ac10 Firmware 16.03.10.13

Tenda AC10 version US_AC10V4.0si_V16.03.10.13_cn was discovered to contain a stack overflow via the list parameter in the function sub_49E098.

9.8
2023-11-29 CVE-2023-45480 Tenda Out-of-bounds Write vulnerability in Tenda Ac10 Firmware 16.03.10.13

Tenda AC10 version US_AC10V4.0si_V16.03.10.13_cn was discovered to contain a stack overflow via the src parameter in the function sub_47D878.

9.8
2023-11-29 CVE-2023-45481 Tenda Out-of-bounds Write vulnerability in Tenda Ac10 Firmware 16.03.10.13

Tenda AC10 version US_AC10V4.0si_V16.03.10.13_cn was discovered to contain a stack overflow via the firewallEn parameter in the function SetFirewallCfg.

9.8
2023-11-29 CVE-2023-45482 Tenda Out-of-bounds Write vulnerability in Tenda Ac10 Firmware 16.03.10.13

Tenda AC10 version US_AC10V4.0si_V16.03.10.13_cn was discovered to contain a stack overflow via the urls parameter in the function get_parentControl_list_Info.

9.8
2023-11-29 CVE-2023-45483 Tenda Out-of-bounds Write vulnerability in Tenda Ac10 Firmware 16.03.10.13

Tenda AC10 version US_AC10V4.0si_V16.03.10.13_cn was discovered to contain a stack overflow via the time parameter in the function compare_parentcontrol_time.

9.8
2023-11-29 CVE-2023-45484 Tenda Out-of-bounds Write vulnerability in Tenda Ac10 Firmware 16.03.10.13

Tenda AC10 version US_AC10V4.0si_V16.03.10.13_cn was discovered to contain a stack overflow via the shareSpeed parameter in the function fromSetWifiGuestBasic.

9.8
2023-11-29 CVE-2023-47462 GL Inet Incorrect Default Permissions vulnerability in Gl-Inet Gl-Ax1800 Firmware

Insecure Permissions vulnerability in GL.iNet AX1800 v.3.215 and before allows a remote attacker to execute arbitrary code via the file sharing function.

9.8
2023-11-29 CVE-2023-23324 Zumtobel Use of Hard-coded Credentials vulnerability in Zumtobel Netlink CCD Firmware 3.80

Zumtobel Netlink CCD Onboard 3.74 - Firmware 3.80 was discovered to contain hardcoded credentials for the Administrator account.

9.8
2023-11-29 CVE-2023-23325 Zumtobel OS Command Injection vulnerability in Zumtobel Netlink CCD Firmware 3.80

Zumtobel Netlink CCD Onboard 3.74 - Firmware 3.80 was discovered to contain a command injection vulnerability via the NetHostname parameter.

9.8
2023-11-28 CVE-2023-48193 Fit2Cloud Unspecified vulnerability in Fit2Cloud Jumpserver 3.8.0

Insecure Permissions vulnerability in JumpServer GPLv3 v.3.8.0 allows a remote attacker to execute arbitrary code via bypassing the command filtering function.

9.8
2023-11-28 CVE-2023-41264 Netwrix Improper Authentication vulnerability in Netwrix Usercube

Netwrix Usercube before 6.0.215, in certain misconfigured on-premises installations, allows authentication bypass on deployment endpoints, leading to privilege escalation.

9.8
2023-11-28 CVE-2023-49313 Horsicq Code Injection vulnerability in Horsicq Xmachoviewer 0.04

A dylib injection vulnerability in XMachOViewer 0.04 allows attackers to compromise integrity.

9.8
2023-11-28 CVE-2023-48022 Anyscale Server-Side Request Forgery (SSRF) vulnerability in Anyscale RAY 2.6.3/2.8.0

Anyscale Ray 2.6.3 and 2.8.0 allows a remote attacker to execute arbitrary code via the job submission API.

9.8
2023-11-28 CVE-2023-3368 Chamilo OS Command Injection vulnerability in Chamilo 1.11.0/1.11.14

Command injection in `/main/webservices/additional_webservices.php` in Chamilo LMS <= v1.11.20 allows unauthenticated attackers to obtain remote code execution via improper neutralisation of special characters.

9.8
2023-11-28 CVE-2023-3533 Chamilo Path Traversal vulnerability in Chamilo

Path traversal in file upload functionality in `/main/webservices/additional_webservices.php` in Chamilo LMS <= v1.11.20 allows unauthenticated attackers to perform stored cross-site scripting attacks and obtain remote code execution via arbitrary file write.

9.8
2023-11-28 CVE-2023-3545 Chamilo Improper Handling of Case Sensitivity vulnerability in Chamilo 1.11.0/1.11.14

Improper sanitisation in `main/inc/lib/fileUpload.lib.php` in Chamilo LMS <= v1.11.20 on Windows and Apache installations allows unauthenticated attackers to bypass file upload security protections and obtain remote code execution via uploading of `.htaccess` file.

9.8
2023-11-28 CVE-2023-47503 Jflyfox Unspecified vulnerability in Jflyfox Jfinal CMS 5.1.0

An issue in jflyfox jfinalCMS v.5.1.0 allows a remote attacker to execute arbitrary code via a crafted script to the login.jsp component in the template management module.

9.8
2023-11-27 CVE-2023-46349 Myprestamodules SQL Injection vulnerability in Myprestamodules Updateproducts

In the module "Product Catalog (CSV, Excel) Export/Update" (updateproducts) < 3.8.5 from MyPrestaModules for PrestaShop, a guest can perform SQL injection.

9.8
2023-11-27 CVE-2023-46480 Owncast Project Server-Side Request Forgery (SSRF) vulnerability in Owncast Project Owncast 0.1.1

An issue in OwnCast v.0.1.1 allows a remote attacker to execute arbitrary code and obtain sensitive information via the authHost parameter of the indieauth function.

9.8
2023-11-27 CVE-2023-48188 Store Opart SQL Injection vulnerability in Store-Opart Op'Art Devis

SQL injection vulnerability in PrestaShop opartdevis v.4.5.18 thru v.4.6.12 allows a remote attacker to execute arbitrary code via a crafted script to the getModuleTranslation function.

9.8
2023-11-27 CVE-2022-41951 Oroinc Path Traversal vulnerability in Oroinc Oroplatform

OroPlatform is a PHP Business Application Platform (BAP) designed to make development of custom business applications easier and faster.

9.8
2023-11-27 CVE-2023-49044 Tenda Out-of-bounds Write vulnerability in Tenda Ax1803 Firmware 1.0.0.1

Stack Overflow vulnerability in Tenda AX1803 v.1.0.0.1 allows a remote attacker to execute arbitrary code via the ssid parameter in the function form_fast_setting_wifi_set.

9.8
2023-11-27 CVE-2023-41998 Arcserve Unrestricted Upload of File with Dangerous Type vulnerability in Arcserve UDP

Arcserve UDP prior to 9.2 contained a vulnerability in the com.ca.arcflash.rps.webservice.RPSService4CPMImpl interface.

9.8
2023-11-27 CVE-2023-41999 Arcserve Improper Authentication vulnerability in Arcserve UDP

An authentication bypass exists in Arcserve UDP prior to version 9.2.

9.8
2023-11-27 CVE-2023-42000 Arcserve Path Traversal vulnerability in Arcserve UDP

Arcserve UDP prior to 9.2 contains a path traversal vulnerability in com.ca.arcflash.ui.server.servlet.FileHandlingServlet.doUpload().

9.8
2023-11-27 CVE-2023-49040 Tenda Command Injection vulnerability in Tenda Ax1803 Firmware 1.0.0.1

An issue in Tneda AX1803 v.1.0.0.1 allows a remote attacker to execute arbitrary code via the adslPwd parameter in the form_fast_setting_internet_set function.

9.8
2023-11-27 CVE-2023-49042 Tenda Out-of-bounds Write vulnerability in Tenda Ax1803 Firmware 1.0.0.1

Heap Overflow vulnerability in Tenda AX1803 v.1.0.0.1 allows a remote attacker to execute arbitrary code via the schedStartTime parameter or the schedEndTime parameter in the function setSchedWifi.

9.8
2023-11-27 CVE-2023-4922 WPB Show Core Project Unspecified vulnerability in WPB Show Core Project WPB Show Core

The WPB Show Core WordPress plugin through 2.2 is vulnerable to a local file inclusion via the `path` parameter.

9.8
2023-11-27 CVE-2023-5604 Asgaros Unrestricted Upload of File with Dangerous Type vulnerability in Asgaros Forum

The Asgaros Forum WordPress plugin before 2.7.1 allows forum administrators, who may not be WordPress (super-)administrators, to set insecure configuration that allows unauthenticated users to upload dangerous files (e.g.

9.8
2023-11-27 CVE-2023-5974 WPB Show Core Project Server-Side Request Forgery (SSRF) vulnerability in WPB Show Core Project WPB Show Core

The WPB Show Core WordPress plugin through 2.2 is vulnerable to server-side request forgery (SSRF) via the `path` parameter.

9.8
2023-11-27 CVE-2023-6329 Controlid Improper Authentication vulnerability in Controlid Idsecure 4.7.32.0

An authentication bypass vulnerability exists in Control iD iDSecure v4.7.32.0.

9.8
2023-11-27 CVE-2023-49043 Tenda Out-of-bounds Write vulnerability in Tenda Ax1803 Firmware 1.0.0.1

Buffer Overflow vulnerability in Tenda AX1803 v.1.0.0.1 allows a remote attacker to execute arbitrary code via the wpapsk_crypto parameter in the function fromSetWirelessRepeat.

9.8
2023-11-27 CVE-2023-49046 Tenda Out-of-bounds Write vulnerability in Tenda Ax1803 Firmware 1.0.0.1

Stack Overflow vulnerability in Tenda AX1803 v.1.0.0.1 allows a remote attacker to execute arbitrary code via the devName parameter in the function formAddMacfilterRule.

9.8
2023-11-27 CVE-2023-4590 Kimmov Classic Buffer Overflow vulnerability in Kimmov Frhed 1.6.0

Buffer overflow vulnerability in Frhed hex editor, affecting version 1.6.0.

9.8
2023-11-27 CVE-2023-6306 Mayurik SQL Injection vulnerability in Mayurik Free and Open Source Inventory Management System 1.0

A vulnerability classified as critical has been found in SourceCodester Free and Open Source Inventory Management System 1.0.

9.8
2023-11-27 CVE-2023-6307 Jeecg Path Traversal vulnerability in Jeecg Jimureport

A vulnerability classified as critical was found in jeecgboot JimuReport up to 1.6.1.

9.8
2023-11-27 CVE-2023-6309 Moses SMT OS Command Injection vulnerability in Moses-Smt Mosesdecoder

A vulnerability, which was classified as critical, was found in moses-smt mosesdecoder up to 4.0.

9.8
2023-11-27 CVE-2023-6305 Mayurik SQL Injection vulnerability in Mayurik Free and Open Source Inventory Management System 1.0

A vulnerability was found in SourceCodester Free and Open Source Inventory Management System 1.0.

9.8
2023-11-29 CVE-2023-6345 Google
Debian
Fedoraproject
Microsoft
Integer Overflow or Wraparound vulnerability in multiple products

Integer overflow in Skia in Google Chrome prior to 119.0.6045.199 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a malicious file.

9.6
2023-11-30 CVE-2023-6353 Tylertech Improper Authentication vulnerability in Tylertech Court Case Management Plus

Tyler Technologies Civil and Criminal Electronic Filing allows an unauthenticated, remote attacker to upload, delete, and view files by manipulating the Upload.aspx 'enky' parameter.

9.4
2023-11-30 CVE-2023-6354 Tylertech Improper Authentication vulnerability in Tylertech Court Case Management Plus

Tyler Technologies Magistrate Court Case Management Plus allows an unauthenticated, remote attacker to upload, delete, and view files by manipulating the PDFViewer.aspx 'filename' parameter.

9.4
2023-12-03 CVE-2023-49946 Forgejo Incorrect Permission Assignment for Critical Resource vulnerability in Forgejo

In Forgejo before 1.20.5-1, certain endpoints do not check whether an object belongs to a repository for which permissions are being checked.

9.1
2023-12-01 CVE-2023-44382 Octobercms Code Injection vulnerability in Octobercms October

October is a Content Management System (CMS) and web platform to assist with development workflow.

9.1
2023-11-30 CVE-2023-5908 PTC
Softwaretoolbox
GE
Rockwellautomation
Classic Buffer Overflow vulnerability in multiple products

KEPServerEX is vulnerable to a buffer overflow which may allow an attacker to crash the product being accessed or leak information.

9.1
2023-11-30 CVE-2023-6026 Elijaa Path Traversal vulnerability in Elijaa PHPmemcachedadmin 1.3.0

A Path traversal vulnerability has been reported in elijaa/phpmemcachedadmin affecting version 1.3.0.

9.1
2023-11-29 CVE-2023-46886 Dreamer CMS Project Path Traversal vulnerability in Dreamer CMS Project Dreamer CMS

Dreamer CMS before version 4.0.1 is vulnerable to Directory Traversal.

9.1
2023-11-28 CVE-2023-48023 Anyscale Server-Side Request Forgery (SSRF) vulnerability in Anyscale RAY 2.6.3/2.8.0

Anyscale Ray 2.6.3 and 2.8.0 allows /log_proxy SSRF.

9.1
2023-11-27 CVE-2023-5559 10Web Unspecified vulnerability in 10Web Booster

The 10Web Booster WordPress plugin before 2.24.18 does not validate the option name given to some AJAX actions, allowing unauthenticated users to delete arbitrary options from the database, leading to denial of service.

9.1

183 High Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2023-12-01 CVE-2023-38268 IBM Cross-Site Request Forgery (CSRF) vulnerability in IBM Infosphere Information Server 11.7.1

IBM InfoSphere Information Server 11.7 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts.

8.8
2023-12-01 CVE-2023-48813 Slims SQL Injection vulnerability in Slims Senayan Library Management System Bulian 9.6.1

Senayan Library Management Systems (Slims) 9 Bulian v9.6.1 is vulnerable to SQL Injection via admin/modules/reporting/customs/fines_report.php.

8.8
2023-12-01 CVE-2023-48893 Slims SQL Injection vulnerability in Slims Senayan Library Management System Bulian 9.6.1

SLiMS (aka SENAYAN Library Management System) through 9.6.1 allows admin/modules/reporting/customs/staff_act.php SQL Injection via startDate or untilDate.

8.8
2023-11-30 CVE-2023-42917 Apple Out-of-bounds Write vulnerability in Apple products

A memory corruption vulnerability was addressed with improved locking.

8.8
2023-11-30 CVE-2023-46326 Zstack Insufficient Session Expiration vulnerability in Zstack

ZStack Cloud version 3.10.38 and before allows unauthenticated API access to the list of active job UUIDs and the session ID for each of these.

8.8
2023-11-30 CVE-2023-46690 Deltaww Path Traversal vulnerability in Deltaww Infrasuite Device Master 1.0.7

In Delta Electronics InfraSuite Device Master v.1.0.7, a vulnerability exists that allows an attacker to write to any file to any location of the filesystem, which could lead to remote code execution.

8.8
2023-11-30 CVE-2023-47870 Gvectors Missing Authorization vulnerability in Gvectors Wpforo Forum

Cross-Site Request Forgery (CSRF), Missing Authorization vulnerability in gVectors Team wpForo Forum wpforo allows Cross Site Request Forgery, Accessing Functionality Not Properly Constrained by ACLs leading to forced all users log out.This issue affects wpForo Forum: from n/a through 2.2.6.

8.8
2023-11-30 CVE-2023-47875 Perfmatters Cross-Site Request Forgery (CSRF) vulnerability in Perfmatters

Cross-Site Request Forgery (CSRF) vulnerability in Perfmatters allows Cross Site Request Forgery.This issue affects Perfmatters: from n/a through 2.1.6.

8.8
2023-11-30 CVE-2023-48328 Imagely Cross-Site Request Forgery (CSRF) vulnerability in Imagely Nextgen Gallery

Cross-Site Request Forgery (CSRF) vulnerability in Imagely WordPress Gallery Plugin – NextGEN Gallery allows Cross Site Request Forgery.This issue affects WordPress Gallery Plugin – NextGEN Gallery: from n/a through 3.37.

8.8
2023-11-30 CVE-2023-48754 Wapnepal Cross-Site Request Forgery (CSRF) vulnerability in Wapnepal Delete Post Revisions

Cross-Site Request Forgery (CSRF) vulnerability in Wap Nepal Delete Post Revisions In WordPress allows Cross Site Request Forgery.This issue affects Delete Post Revisions In WordPress: from n/a through 4.6.

8.8
2023-11-30 CVE-2023-5803 Businessdirectoryplugin Cross-Site Request Forgery (CSRF) vulnerability in Businessdirectoryplugin Business Directory

Cross-Site Request Forgery (CSRF) vulnerability in Business Directory Team Business Directory Plugin – Easy Listing Directories for WordPress allows Cross-Site Request Forgery.This issue affects Business Directory Plugin – Easy Listing Directories for WordPress: from n/a through 6.3.10.

8.8
2023-11-30 CVE-2023-6402 Phpgurukul SQL Injection vulnerability in PHPgurukul Nipah Virus Testing Management System 1.0

A vulnerability, which was classified as critical, was found in PHPGurukul Nipah Virus Testing Management System 1.0.

8.8
2023-11-30 CVE-2023-33333 Really Simple Plugins Cross-Site Request Forgery (CSRF) vulnerability in Really-Simple-Plugins Complianz

Cross-Site Request Forgery (CSRF) vulnerability in Really Simple Plugins Complianz, Really Simple Plugins Complianz Premium allows Cross-Site Scripting (XSS).This issue affects Complianz: from n/a through 6.4.4; Complianz Premium: from n/a through 6.4.6.1.

8.8
2023-11-30 CVE-2023-34030 Really Simple Plugins Cross-Site Request Forgery (CSRF) vulnerability in Really-Simple-Plugins Complianz 6.4.7

Cross-Site Request Forgery (CSRF) vulnerability in Really Simple Plugins Complianz, Really Simple Plugins Complianz Premium allows Cross-Site Request Forgery.This issue affects Complianz: from n/a through 6.4.5; Complianz Premium: from n/a through 6.4.7.

8.8
2023-11-30 CVE-2023-36682 Brainstormforce Cross-Site Request Forgery (CSRF) vulnerability in Brainstormforce Schema PRO 2.7.7

Cross-Site Request Forgery (CSRF) vulnerability in Brainstorm Force US LLC Schema Pro allows Cross Site Request Forgery.This issue affects Schema Pro: from n/a through 2.7.7.

8.8
2023-11-30 CVE-2023-36685 Brainstormforce Cross-Site Request Forgery (CSRF) vulnerability in Brainstormforce Cartflows

Cross-Site Request Forgery (CSRF) vulnerability in Brainstorm Force US LLC CartFlows Pro allows Cross Site Request Forgery.This issue affects CartFlows Pro: from n/a through 1.11.12.

8.8
2023-11-30 CVE-2023-47645 Metagauss Cross-Site Request Forgery (CSRF) vulnerability in Metagauss Registrationmagic

Cross-Site Request Forgery (CSRF) vulnerability in RegistrationMagic RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login allows Cross Site Request Forgery.This issue affects RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login: from n/a through 5.2.2.6.

8.8
2023-11-30 CVE-2023-48279 S Sols Cross-Site Request Forgery (CSRF) vulnerability in S-Sols Seraphinite Post .Docx Source

Cross-Site Request Forgery (CSRF) vulnerability in Seraphinite Solutions Seraphinite Post .DOCX Source allows Cross Site Request Forgery.This issue affects Seraphinite Post .DOCX Source: from n/a through 2.16.6.

8.8
2023-11-30 CVE-2023-48281 Superblogme Cross-Site Request Forgery (CSRF) vulnerability in Superblogme Broken Link Checker for Youtube

Cross-Site Request Forgery (CSRF) vulnerability in Super Blog Me Broken Link Checker for YouTube allows Cross Site Request Forgery.This issue affects Broken Link Checker for YouTube: from n/a through 1.3.

8.8
2023-11-30 CVE-2023-48912 Iteachyou Cross-Site Request Forgery (CSRF) vulnerability in Iteachyou Dreamer CMS 4.1.3

Dreamer CMS v4.1.3 was discovered to contain a Cross-Site Request Forgery (CSRF) via the component /admin/archives/edit.

8.8
2023-11-30 CVE-2023-48913 Iteachyou Cross-Site Request Forgery (CSRF) vulnerability in Iteachyou Dreamer CMS 4.1.3

Dreamer CMS v4.1.3 was discovered to contain a Cross-Site Request Forgery (CSRF) via the component /admin/archives/delete.

8.8
2023-11-30 CVE-2023-48914 Iteachyou Cross-Site Request Forgery (CSRF) vulnerability in Iteachyou Dreamer CMS 4.1.3

Dreamer CMS v4.1.3 was discovered to contain a Cross-Site Request Forgery (CSRF) via the component /admin/archives/add.

8.8
2023-11-30 CVE-2023-48282 Andrealandonio Cross-Site Request Forgery (CSRF) vulnerability in Andrealandonio Taxonomy Filter

Cross-Site Request Forgery (CSRF) vulnerability in Andrea Landonio Taxonomy filter allows Cross Site Request Forgery.This issue affects Taxonomy filter: from n/a through 2.2.9.

8.8
2023-11-30 CVE-2023-48283 Presstigers Cross-Site Request Forgery (CSRF) vulnerability in Presstigers Simple Testimonials Showcase

Cross-Site Request Forgery (CSRF) vulnerability in PressTigers Simple Testimonials Showcase allows Cross Site Request Forgery.This issue affects Simple Testimonials Showcase: from n/a through 1.1.5.

8.8
2023-11-30 CVE-2023-48284 Webtoffee Cross-Site Request Forgery (CSRF) vulnerability in Webtoffee Decorator

Cross-Site Request Forgery (CSRF) vulnerability in WebToffee Decorator – WooCommerce Email Customizer allows Cross Site Request Forgery.This issue affects Decorator – WooCommerce Email Customizer: from n/a through 1.2.7.

8.8
2023-11-30 CVE-2023-48323 Getawesomesupport Cross-Site Request Forgery (CSRF) vulnerability in Getawesomesupport Awesome Support

Cross-Site Request Forgery (CSRF) vulnerability in Awesome Support Team Awesome Support – WordPress HelpDesk & Support Plugin allows Cross Site Request Forgery.This issue affects Awesome Support – WordPress HelpDesk & Support Plugin: from n/a through 6.1.4.

8.8
2023-11-30 CVE-2023-48330 Supremo Cross-Site Request Forgery (CSRF) vulnerability in Supremo Bulk Comment Remove

Cross-Site Request Forgery (CSRF) vulnerability in Mike Strand Bulk Comment Remove allows Cross Site Request Forgery.This issue affects Bulk Comment Remove: from n/a through 2.

8.8
2023-11-30 CVE-2023-48331 Stormhillmedia Cross-Site Request Forgery (CSRF) vulnerability in Stormhillmedia Mybook Table Bookstore

Cross-Site Request Forgery (CSRF) vulnerability in Stormhill Media MyBookTable Bookstore by Stormhill Media allows Cross Site Request Forgery.This issue affects MyBookTable Bookstore by Stormhill Media: from n/a through 3.3.4.

8.8
2023-11-30 CVE-2023-48334 Daext Cross-Site Request Forgery (CSRF) vulnerability in Daext League Table

Cross-Site Request Forgery (CSRF) vulnerability in DAEXT League Table allows Cross Site Request Forgery.This issue affects League Table: from n/a through 1.13.

8.8
2023-11-30 CVE-2023-48744 Offshorewebmaster Cross-Site Request Forgery (CSRF) vulnerability in Offshorewebmaster Availability Calendar

Cross-Site Request Forgery (CSRF) vulnerability in Offshore Web Master Availability Calendar allows Cross Site Request Forgery.This issue affects Availability Calendar: from n/a through 1.2.6.

8.8
2023-11-30 CVE-2023-6137 Wpfrontier Cross-Site Request Forgery (CSRF) vulnerability in Wpfrontier Frontier Post 6.1

Cross-Site Request Forgery (CSRF) vulnerability in finnj Frontier Post allows Cross Site Request Forgery.This issue affects Frontier Post: from n/a through 6.1.

8.8
2023-11-30 CVE-2023-49052 Microweber Unrestricted Upload of File with Dangerous Type vulnerability in Microweber 2.0.4

File Upload vulnerability in Microweber v.2.0.4 allows a remote attacker to execute arbitrary code via a crafted script to the file upload function in the created forms component.

8.8
2023-11-30 CVE-2023-47464 GL Inet Path Traversal vulnerability in Gl-Inet Gl-Ax1800 Firmware

Insecure Permissions vulnerability in GL.iNet AX1800 version 4.0.0 before 4.5.0 allows a remote attacker to execute arbitrary code via the upload API function.

8.8
2023-11-30 CVE-2023-49097 Zitadel Weak Password Recovery Mechanism for Forgotten Password vulnerability in Zitadel

ZITADEL is an identity infrastructure system.

8.8
2023-11-30 CVE-2023-37927 Zyxel OS Command Injection vulnerability in Zyxel Nas326 Firmware and Nas542 Firmware

The improper neutralization of special elements in the CGI program of the Zyxel NAS326 firmware version V5.21(AAZF.14)C0 and NAS542 firmware version V5.21(ABAG.11)C0 could allow an authenticated attacker to execute some operating system (OS) commands by sending a crafted URL to a vulnerable device.

8.8
2023-11-30 CVE-2023-37928 Zyxel OS Command Injection vulnerability in Zyxel Nas326 Firmware and Nas542 Firmware

A post-authentication command injection vulnerability in the WSGI server of the Zyxel NAS326 firmware version V5.21(AAZF.14)C0 and NAS542 firmware version V5.21(ABAG.11)C0 could allow an authenticated attacker to execute some operating system (OS) commands by sending a crafted URL to a vulnerable device.

8.8
2023-11-29 CVE-2023-49655 Jenkins Cross-Site Request Forgery (CSRF) vulnerability in Jenkins Matlab

A cross-site request forgery (CSRF) vulnerability in Jenkins MATLAB Plugin 2.11.0 and earlier allows attackers to have Jenkins parse an XML file from the Jenkins controller file system.

8.8
2023-11-29 CVE-2023-49673 Jenkins Cross-Site Request Forgery (CSRF) vulnerability in Jenkins products

A cross-site request forgery (CSRF) vulnerability in Jenkins NeuVector Vulnerability Scanner Plugin 1.22 and earlier allows attackers to connect to an attacker-specified hostname and port using attacker-specified username and password.

8.8
2023-11-29 CVE-2023-6346 Google
Debian
Fedoraproject
Use After Free vulnerability in multiple products

Use after free in WebAudio in Google Chrome prior to 119.0.6045.199 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

8.8
2023-11-29 CVE-2023-6347 Google
Debian
Fedoraproject
Use After Free vulnerability in multiple products

Use after free in Mojo in Google Chrome prior to 119.0.6045.199 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

8.8
2023-11-29 CVE-2023-6348 Google
Debian
Fedoraproject
Type Confusion vulnerability in multiple products

Type Confusion in Spellcheck in Google Chrome prior to 119.0.6045.199 allowed a remote attacker who had compromised the renderer process to potentially exploit heap corruption via a crafted HTML page.

8.8
2023-11-29 CVE-2023-6350 Google
Debian
Fedoraproject
Use After Free vulnerability in multiple products

Use after free in libavif in Google Chrome prior to 119.0.6045.199 allowed a remote attacker to potentially exploit heap corruption via a crafted avif file.

8.8
2023-11-29 CVE-2023-6351 Google
Debian
Fedoraproject
Use After Free vulnerability in multiple products

Use after free in libavif in Google Chrome prior to 119.0.6045.199 allowed a remote attacker to potentially exploit heap corruption via a crafted avif file.

8.8
2023-11-28 CVE-2023-40056 Solarwinds SQL Injection vulnerability in Solarwinds Platform

SQL Injection Remote Code Vulnerability was found in the SolarWinds Platform.

8.8
2023-11-28 CVE-2022-41678 Apache Deserialization of Untrusted Data vulnerability in Apache Activemq

Once an user is authenticated on Jolokia, he can potentially trigger arbitrary code execution.  In details, in ActiveMQ configurations, jetty allows org.jolokia.http.AgentServlet to handler request to /api/jolokia org.jolokia.http.HttpRequestHandler#handlePostRequest is able to create JmxRequest through JSONObject.

8.8
2023-11-28 CVE-2023-6239 M Files Improper Preservation of Permissions vulnerability in M-Files Server 23.10/23.9

Under rare conditions, the effective permissions of an object might be incorrectly calculated if the object has a specific configuration of metadata-driven permissions in M-Files Server versions 23.9, 23.10, and 23.11 before 23.11.13168.7, potentially enabling unauthorized access to the object.

8.8
2023-11-28 CVE-2023-6201 Univera OS Command Injection vulnerability in Univera Panorama

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Univera Computer System Panorama allows Command Injection.This issue affects Panorama: before 8.0.

8.8
2023-11-28 CVE-2023-42004 IBM Improper Neutralization of Formula Elements in a CSV File vulnerability in IBM Security Guardium 11.3/11.4/11.5

IBM Security Guardium 11.3, 11.4, and 11.5 is potentially vulnerable to CSV injection.

8.8
2023-11-28 CVE-2023-4221 Chamilo OS Command Injection vulnerability in Chamilo LMS

Command injection in `main/lp/openoffice_presentation.class.php` in Chamilo LMS <= v1.11.24 allows users permitted to upload Learning Paths to obtain remote code execution via improper neutralisation of special characters.

8.8
2023-11-28 CVE-2023-4222 Chamilo OS Command Injection vulnerability in Chamilo LMS

Command injection in `main/lp/openoffice_text_document.class.php` in Chamilo LMS <= v1.11.24 allows users permitted to upload Learning Paths to obtain remote code execution via improper neutralisation of special characters.

8.8
2023-11-28 CVE-2023-4223 Chamilo Unrestricted Upload of File with Dangerous Type vulnerability in Chamilo LMS

Unrestricted file upload in `/main/inc/ajax/document.ajax.php` in Chamilo LMS <= v1.11.24 allows authenticated attackers with learner role to obtain remote code execution via uploading of PHP files.

8.8
2023-11-28 CVE-2023-4224 Chamilo Unrestricted Upload of File with Dangerous Type vulnerability in Chamilo LMS

Unrestricted file upload in `/main/inc/ajax/dropbox.ajax.php` in Chamilo LMS <= v1.11.24 allows authenticated attackers with learner role to obtain remote code execution via uploading of PHP files.

8.8
2023-11-28 CVE-2023-4225 Chamilo Unrestricted Upload of File with Dangerous Type vulnerability in Chamilo LMS

Unrestricted file upload in `/main/inc/ajax/exercise.ajax.php` in Chamilo LMS <= v1.11.24 allows authenticated attackers with learner role to obtain remote code execution via uploading of PHP files.

8.8
2023-11-28 CVE-2023-4226 Chamilo Unrestricted Upload of File with Dangerous Type vulnerability in Chamilo LMS

Unrestricted file upload in `/main/inc/ajax/work.ajax.php` in Chamilo LMS <= v1.11.24 allows authenticated attackers with learner role to obtain remote code execution via uploading of PHP files.

8.8
2023-11-28 CVE-2023-29770 Sapplica Unrestricted Upload of File with Dangerous Type vulnerability in Sapplica Sentrifugo 3.5

In Sentrifugo 3.5, the AssetsController::uploadsaveAction function allows an authenticated attacker to upload any file without extension filtering.

8.8
2023-11-27 CVE-2023-32616 Foxitsoftware Use After Free vulnerability in Foxitsoftware Foxit Reader 12.1.2.15356

A use-after-free vulnerability exists in the way Foxit Reader 12.1.2.15356 handles 3D annotations.

8.8
2023-11-27 CVE-2023-35985 Foxitsoftware Externally Controlled Reference to a Resource in Another Sphere vulnerability in Foxitsoftware Foxit Reader 12.1.3.15356

An arbitrary file creation vulnerability exists in the Javascript exportDataObject API of Foxit Reader 12.1.3.15356 due to a failure to properly validate a dangerous extension.

8.8
2023-11-27 CVE-2023-38573 Foxitsoftware Use After Free vulnerability in Foxitsoftware Foxit Reader 12.1.2.15356

A use-after-free vulnerability exists in the way Foxit Reader 12.1.2.15356 handles a signature field.

8.8
2023-11-27 CVE-2023-39542 Foxitsoftware Externally Controlled Reference to a Resource in Another Sphere vulnerability in Foxitsoftware Foxit Reader 12.1.3.15356

A code execution vulnerability exists in the Javascript saveAs API of Foxit Reader 12.1.3.15356.

8.8
2023-11-27 CVE-2023-40194 Foxitsoftware Externally Controlled Reference to a Resource in Another Sphere vulnerability in Foxitsoftware Foxit Reader 12.1.3.15356

An arbitrary file creation vulnerability exists in the Javascript exportDataObject API of Foxit Reader 12.1.3.15356 due to mistreatment of whitespace characters.

8.8
2023-11-27 CVE-2023-41257 Foxitsoftware Type Confusion vulnerability in Foxitsoftware Foxit Reader 12.1.3.15356

A type confusion vulnerability exists in the way Foxit Reader 12.1.2.15356 handles field value properties.

8.8
2023-11-27 CVE-2023-40610 Apache Incorrect Authorization vulnerability in Apache Superset

Improper authorization check and possible privilege escalation on Apache Superset up to but excluding 2.1.2.

8.8
2023-11-27 CVE-2023-6308 Four Faith Unrestricted Upload of File with Dangerous Type vulnerability in Four-Faith Video Surveillance Management System 2016/2017

A vulnerability, which was classified as critical, has been found in Xiamen Four-Faith Video Surveillance Management System 2016/2017.

8.8
2023-11-28 CVE-2023-45539 Haproxy Unspecified vulnerability in Haproxy

HAProxy before 2.8.2 accepts # as part of the URI component, which might allow remote attackers to obtain sensitive information or have unspecified other impact upon misinterpretation of a path_end rule, such as routing index.html#.png to a static server.

8.2
2023-11-30 CVE-2023-37867 YET Another Stars Rating Project Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in YET Another Stars Rating Project YET Another Stars Rating

Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in YetAnotherStarsRating.Com YASR – Yet Another Star Rating Plugin for WordPress.This issue affects YASR – Yet Another Star Rating Plugin for WordPress: from n/a through 3.3.8.

8.1
2023-11-27 CVE-2023-6304 Tecno Mobile OS Command Injection vulnerability in Tecno-Mobile Tr118 Firmware Tr118M30Errdenfrarswhapoopv00820220830

A vulnerability was found in Tecno 4G Portable WiFi TR118 TR118-M30E-RR-D-EnFrArSwHaPo-OP-V008-20220830.

8.0
2023-12-02 CVE-2023-39256 Dell Unspecified vulnerability in Dell Rugged Control Center

Dell Rugged Control Center, version prior to 4.7, contains an improper access control vulnerability.

7.8
2023-12-02 CVE-2023-39257 Dell Unspecified vulnerability in Dell Rugged Control Center

Dell Rugged Control Center, version prior to 4.7, contains an Improper Access Control vulnerability.

7.8
2023-12-01 CVE-2023-45168 IBM Unspecified vulnerability in IBM AIX and Vios

IBM AIX 7.2, 7.3, and VIOS 3.1 could allow a non-privileged local user to exploit a vulnerability in the invscout command to execute arbitrary commands.

7.8
2023-12-01 CVE-2023-5427 ARM Use After Free vulnerability in ARM products

Use After Free vulnerability in Arm Ltd Bifrost GPU Kernel Driver, Arm Ltd Valhall GPU Kernel Driver, Arm Ltd Arm 5th Gen GPU Architecture Kernel Driver allows a local non-privileged user to make improper GPU processing operations to gain access to already freed memory.This issue affects Bifrost GPU Kernel Driver: from r44p0 through r45p0; Valhall GPU Kernel Driver: from r44p0 through r45p0; Arm 5th Gen GPU Architecture Kernel Driver: from r44p0 through r45p0.

7.8
2023-12-01 CVE-2023-45252 Huddly Uncontrolled Search Path Element vulnerability in Huddly Huddlycameraservice

DLL Hijacking vulnerability in Huddly HuddlyCameraService before version 8.0.7, not including version 7.99, due to the installation of the service in a directory that grants write privileges to standard users, allows attackers to manipulate files, execute arbitrary code, and escalate privileges.

7.8
2023-12-01 CVE-2023-45253 Huddly Improper Privilege Management vulnerability in Huddly Huddlycameraservices

An issue was discovered in Huddly HuddlyCameraService before version 8.0.7, not including version 7.99, allows attackers to manipulate files and escalate privileges via RollingFileAppender.DeleteFile method performed by the log4net library.

7.8
2023-11-30 CVE-2023-47452 Notepad Plus Plus Uncontrolled Search Path Element vulnerability in Notepad-Plus-Plus Notepad++ 6.5

An Untrusted search path vulnerability in notepad++ 6.5 allows local users to gain escalated privileges through the msimg32.dll file in the current working directory.

7.8
2023-11-30 CVE-2023-47453 Sohu Uncontrolled Search Path Element vulnerability in Sohu Video Player 7.0.15.0

An Untrusted search path vulnerability in Sohu Video Player 7.0.15.0 allows local users to gain escalated privileges through the version.dll file in the current working directory.

7.8
2023-11-30 CVE-2023-47454 Netease Uncontrolled Search Path Element vulnerability in Netease Cloudmusic 2.10.4

An Untrusted search path vulnerability in NetEase CloudMusic 2.10.4 for Windows allows local users to gain escalated privileges through the urlmon.dll file in the current working directory.

7.8
2023-11-30 CVE-2023-2264 Selinc Unspecified vulnerability in Selinc Sel-411L Firmware

An improper input validation vulnerability in the Schweitzer Engineering Laboratories SEL-411L could allow a malicious actor to manipulate authorized users to click on a link that could allow undesired behavior. See product Instruction Manual Appendix A dated 20230830 for more details.

7.8
2023-11-30 CVE-2023-6401 Notepad Plus Plus Uncontrolled Search Path Element vulnerability in Notepad-Plus-Plus Notepad++

A vulnerability classified as problematic was found in NotePad++ up to 8.1.

7.8
2023-11-30 CVE-2023-4770 4D Uncontrolled Search Path Element vulnerability in 4D and Server

An uncontrolled search path element vulnerability has been found on 4D and 4D server Windows executables applications, affecting version 19 R8 100218.

7.8
2023-11-30 CVE-2023-49699 Asrmicro Out-of-bounds Write vulnerability in Asrmicro Asr1803 Firmware and Asr1806 Firmware

Memory Corruption in IMS while calling VoLTE Streamingmedia Interface

7.8
2023-11-30 CVE-2023-5247 Mitsubishielectric Externally Controlled Reference to a Resource in Another Sphere vulnerability in Mitsubishielectric products

Malicious Code Execution Vulnerability due to External Control of File Name or Path in multiple Mitsubishi Electric FA Engineering Software Products allows a malicious attacker to execute a malicious code by having legitimate users open a specially crafted project file, which could result in information disclosure, tampering and deletion, or a denial-of-service (DoS) condition.

7.8
2023-11-29 CVE-2023-49694 Netgear Unspecified vulnerability in Netgear Prosafe Network Management System

A low-privileged OS user with access to a Windows host where NETGEAR ProSAFE Network Management System is installed can create arbitrary JSP files in a Tomcat web application directory.

7.8
2023-11-28 CVE-2023-46944 Gitkraken Unspecified vulnerability in Gitkraken Gitlens

An issue in GitKraken GitLens before v.14.0.0 allows an attacker to execute arbitrary code via a crafted file to the Visual Studio Codes workspace trust component.

7.8
2023-11-28 CVE-2023-49314 Asana Code Injection vulnerability in Asana Desktop 2.1.0

Asana Desktop 2.1.0 on macOS allows code injection because of specific Electron Fuses.

7.8
2023-11-27 CVE-2023-31275 Kingsoft Use of Uninitialized Resource vulnerability in Kingsoft WPS Office 11.2.0.11537

An uninitialized pointer use vulnerability exists in the functionality of WPS Office 11.2.0.11537 that handles Data elements in an Excel file.

7.8
2023-11-27 CVE-2023-4931 Plesk Uncontrolled Search Path Element vulnerability in Plesk 3.27.0.0

Uncontrolled search path element vulnerability in Plesk Installer affects version 3.27.0.0.

7.8
2023-12-03 CVE-2023-49947 Forgejo Incorrect Authorization vulnerability in Forgejo

Forgejo before 1.20.5-1 allows 2FA bypass when docker login uses Basic Authentication.

7.5
2023-12-03 CVE-2023-45178 IBM Unspecified vulnerability in IBM DB2 11.5

IBM Db2 for Linux, UNIX and Windows (includes DB2 Connect Server) 11.5 CLI is vulnerable to a denial of service when a specially crafted request is used.

7.5
2023-12-03 CVE-2018-25094 Kotchasan Path Traversal vulnerability in Kotchasan Online Accounting System 1.4.0

A vulnerability was found in ???????????????? Online Accounting System up to 1.4.0 and classified as problematic.

7.5
2023-12-01 CVE-2023-40699 IBM Unspecified vulnerability in IBM Infosphere Information Server 11.7.1

IBM InfoSphere Information Server 11.7 could allow a remote attacker to cause a denial of service due to improper input validation.

7.5
2023-12-01 CVE-2023-4518 Hitachienergy Improper Validation of Specified Quantity in Input vulnerability in Hitachienergy products

A vulnerability exists in the input validation of the GOOSE messages where out of range values received and processed by the IED caused a reboot of the device.

7.5
2023-12-01 CVE-2023-5635 Arslansoft Education Portal Project Unspecified vulnerability in Arslansoft Education Portal Project Arslansoft Education Portal

Improper Protection for Outbound Error Messages and Alert Signals vulnerability in ArslanSoft Education Portal allows Account Footprinting.This issue affects Education Portal: before v1.1.

7.5
2023-12-01 CVE-2023-5637 Arslansoft Education Portal Project Unrestricted Upload of File with Dangerous Type vulnerability in Arslansoft Education Portal Project Arslansoft Education Portal

Unrestricted Upload of File with Dangerous Type vulnerability in ArslanSoft Education Portal allows Read Sensitive Strings Within an Executable.This issue affects Education Portal: before v1.1.

7.5
2023-12-01 CVE-2023-5226 Gitlab Unspecified vulnerability in Gitlab

An issue has been discovered in GitLab affecting all versions before 16.4.3, all versions starting from 16.5 before 16.5.3, all versions starting from 16.6 before 16.6.1.

7.5
2023-12-01 CVE-2023-5995 Gitlab Unspecified vulnerability in Gitlab

An issue has been discovered in GitLab EE affecting all versions starting from 16.2 before 16.4.3, all versions starting from 16.5 before 16.5.3, all versions starting from 16.6 before 16.6.1.

7.5
2023-12-01 CVE-2023-48016 Phpgurukul SQL Injection vulnerability in PHPgurukul Restaurant Table Booking System 1.0

Restaurant Table Booking System V1.0 is vulnerable to SQL Injection in rtbs/admin/index.php via the username parameter.

7.5
2023-11-30 CVE-2023-46383 Loytec Cleartext Transmission of Sensitive Information vulnerability in Loytec L-Inx Configurator 7.4.10

LOYTEC electronics GmbH LINX Configurator 7.4.10 uses HTTP Basic Authentication, which transmits usernames and passwords in base64-encoded cleartext and allows remote attackers to steal the password and gain full control of Loytec device configuration.

7.5
2023-11-30 CVE-2023-46384 Loytec Cleartext Storage of Sensitive Information vulnerability in Loytec L-Inx Configurator 7.4.10

LOYTEC electronics GmbH LINX Configurator 7.4.10 is vulnerable to Insecure Permissions.

7.5
2023-11-30 CVE-2023-46385 Loytec Cleartext Transmission of Sensitive Information vulnerability in Loytec L-Inx Configurator 7.4.10

LOYTEC electronics GmbH LINX Configurator 7.4.10 is vulnerable to Insecure Permissions.

7.5
2023-11-30 CVE-2023-46386 Loytec Cleartext Storage of Sensitive Information vulnerability in Loytec Linx-151 Firmware and Linx-212 Firmware

LOYTEC electronics GmbH LINX-212 firmware 6.2.4 and LINX-151 firmware 7.2.4 are vulnerable to Insecure Permissions via registry.xml file.

7.5
2023-11-30 CVE-2023-46387 Loytec Unspecified vulnerability in Loytec Linx-151 Firmware and Linx-212 Firmware

LOYTEC electronics GmbH LINX-212 firmware 6.2.4 and LINX-151 firmware 7.2.4 are vulnerable to Incorrect Access Control via dpal_config.zml file.

7.5
2023-11-30 CVE-2023-46388 Loytec Cleartext Storage of Sensitive Information vulnerability in Loytec Linx-151 Firmware and Linx-212 Firmware

LOYTEC electronics GmbH LINX-212 6.2.4 and LINX-151 7.2.4 are vulnerable to Insecure Permissions via dpal_config.zml file.

7.5
2023-11-30 CVE-2023-46389 Loytec Unspecified vulnerability in Loytec Linx-151 Firmware and Linx-212 Firmware

LOYTEC electronics GmbH LINX-212 firmware 6.2.4 and LINX-151 Firmware 7.2.4 are vulnerable to Incorrect Access Control via registry.xml file.

7.5
2023-11-30 CVE-2023-47279 Deltaww Path Traversal vulnerability in Deltaww Infrasuite Device Master 1.0.7

In Delta Electronics InfraSuite Device Master v.1.0.7, A vulnerability exists that allows an unauthenticated attacker to disclose user information through a single UDP packet, obtain plaintext credentials, or perform NTLM relaying.

7.5
2023-11-30 CVE-2023-47307 Szlbt Classic Buffer Overflow vulnerability in Szlbt Lbt-T300-T310 Firmware 2.2.2.6

Buffer Overflow vulnerability in /apply.cgi in Shenzhen Libituo Technology Co., Ltd LBT-T300-T310 v2.2.2.6 allows attackers to cause a denial of service via the ApCliAuthMode parameter.

7.5
2023-11-30 CVE-2023-49735 Apache Path Traversal vulnerability in Apache Tiles 2.0

** UNSUPPORTED WHEN ASSIGNED ** The value set as the DefaultLocaleResolver.LOCALE_KEY attribute on the session was not validated while resolving XML definition files, leading to possible path traversal and eventually SSRF/XXE when passing user-controlled data to this key.

7.5
2023-11-30 CVE-2023-5909 PTC
Softwaretoolbox
GE
Rockwellautomation
Improper Certificate Validation vulnerability in multiple products

KEPServerEX does not properly validate certificates from clients which may allow unauthenticated users to connect.

7.5
2023-11-30 CVE-2023-6375 Tylertech Files or Directories Accessible to External Parties vulnerability in Tylertech Court Case Management Plus

Tyler Technologies Court Case Management Plus may store backups in a location that can be accessed by a remote, unauthenticated attacker.

7.5
2023-11-30 CVE-2023-6376 Henschen Use of Insufficiently Random Values vulnerability in Henschen Court Document Management

Henschen & Associates court document management software does not sufficiently randomize file names of cached documents, allowing a remote, unauthenticated attacker to access restricted documents.

7.5
2023-11-30 CVE-2023-37972 Multivendorx Unspecified vulnerability in Multivendorx Product Stock Manager & Notifier for Woocommerce

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in MultiVendorX Product Stock Manager & Notifier for WooCommerce.This issue affects Product Stock Manager & Notifier for WooCommerce: from n/a through 2.0.1.

7.5
2023-11-30 CVE-2023-40211 Pickplugins Unspecified vulnerability in Pickplugins Post Grid Combo

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in PickPlugins Post Grid Combo – 36+ Gutenberg Blocks.This issue affects Post Grid Combo – 36+ Gutenberg Blocks: from n/a through 2.2.50.

7.5
2023-11-30 CVE-2023-40600 Ewww Unspecified vulnerability in Ewww Image Optimizer

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Exactly WWW EWWW Image Optimizer. It works only when debug.log is turned on.This issue affects EWWW Image Optimizer: from n/a through 7.2.0.

7.5
2023-11-30 CVE-2023-40662 Followmedarling Unspecified vulnerability in Followmedarling Cookies and Content Security Policy

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Jonk @ Follow me Darling Cookies and Content Security Policy.This issue affects Cookies and Content Security Policy: from n/a through 2.15.

7.5
2023-11-30 CVE-2023-41735 Gopiplus Unspecified vulnerability in Gopiplus Email Posts to Subscribers 6.2

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Gopi Ramasamy Email posts to subscribers.This issue affects Email posts to subscribers: from n/a through 6.2.

7.5
2023-11-30 CVE-2023-44150 Properfraction Unspecified vulnerability in Properfraction Profilepress

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in ProfilePress Membership Team Paid Membership Plugin, Ecommerce, Registration Form, Login Form, User Profile & Restrict Content – ProfilePress.This issue affects Paid Membership Plugin, Ecommerce, Registration Form, Login Form, User Profile & Restrict Content – ProfilePress: from n/a through 4.13.2.

7.5
2023-11-30 CVE-2023-45066 Smackcoders Unspecified vulnerability in Smackcoders Export ALL Posts, Products, Orders, Refunds & Users

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Smackcoders Export All Posts, Products, Orders, Refunds & Users.This issue affects Export All Posts, Products, Orders, Refunds & Users: from n/a through 2.4.1.

7.5
2023-11-30 CVE-2023-47827 Nicheaddons Incorrect Authorization vulnerability in Nicheaddons Events Addon for Elementor

Incorrect Authorization vulnerability in NicheAddons Events Addon for Elementor allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Events Addon for Elementor: from n/a through 2.1.3.

7.5
2023-11-30 CVE-2023-48963 Tenda Out-of-bounds Write vulnerability in Tenda I6 Firmware 1.0.0.8(3856)

Tenda i6 V1.0.0.8(3856) is vulnerable to Buffer Overflow via /goform/wifiSSIDget.

7.5
2023-11-30 CVE-2023-48964 Tenda Out-of-bounds Write vulnerability in Tenda I6 Firmware 1.0.0.8(3856)

Tenda i6 V1.0.0.8(3856) is vulnerable to Buffer Overflow via /goform/WifiMacFilterSet.

7.5
2023-11-30 CVE-2023-6136 Bowo Unspecified vulnerability in Bowo Debug LOG Manager

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Bowo Debug Log Manager.This issue affects Debug Log Manager: from n/a through 2.3.0.

7.5
2023-11-30 CVE-2023-6410 Aatifaneeq SQL Injection vulnerability in Aatifaneeq Voovi 1.0

A vulnerability has been reported in Voovi Social Networking Script that affects version 1.0 and consists of a SQL injection via editprofile.php in multiple parameters.

7.5
2023-11-30 CVE-2023-6411 Aatifaneeq SQL Injection vulnerability in Aatifaneeq Voovi 1.0

A vulnerability has been reported in Voovi Social Networking Script that affects version 1.0 and consists of a SQL injection via home.php in the update parameter.

7.5
2023-11-30 CVE-2023-6412 Aatifaneeq SQL Injection vulnerability in Aatifaneeq Voovi 1.0

A vulnerability has been reported in Voovi Social Networking Script that affects version 1.0 and consists of a SQL injection via photo.php in multiple parameters.

7.5
2023-11-30 CVE-2023-6413 Aatifaneeq SQL Injection vulnerability in Aatifaneeq Voovi 1.0

A vulnerability has been reported in Voovi Social Networking Script that affects version 1.0 and consists of a SQL injection via photos.php in the id and user parameters.

7.5
2023-11-30 CVE-2023-6414 Aatifaneeq SQL Injection vulnerability in Aatifaneeq Voovi 1.0

A vulnerability has been reported in Voovi Social Networking Script that affects version 1.0 and consists of a SQL injection via perfil.php in the id and user parameters.

7.5
2023-11-30 CVE-2023-6415 Aatifaneeq SQL Injection vulnerability in Aatifaneeq Voovi 1.0

A vulnerability has been reported in Voovi Social Networking Script that affects version 1.0 and consists of a SQL injection via signin.php in the user parameter.

7.5
2023-11-30 CVE-2023-6416 Aatifaneeq SQL Injection vulnerability in Aatifaneeq Voovi 1.0

A vulnerability has been reported in Voovi Social Networking Script that affects version 1.0 and consists of a SQL injection via signup2.php in the emailadd parameter.

7.5
2023-11-30 CVE-2023-6417 Aatifaneeq SQL Injection vulnerability in Aatifaneeq Voovi 1.0

A vulnerability has been reported in Voovi Social Networking Script that affects version 1.0 and consists of a SQL injection via update.php in the id parameter.

7.5
2023-11-30 CVE-2023-6418 Aatifaneeq SQL Injection vulnerability in Aatifaneeq Voovi 1.0

A vulnerability has been reported in Voovi Social Networking Script that affects version 1.0 and consists of a SQL injection via videos.php in the id parameter.

7.5
2023-11-30 CVE-2023-49095 Nexryai Improper Input Validation vulnerability in Nexryai Nexkey 12.121.9

nexkey is a microblogging platform.

7.5
2023-11-30 CVE-2023-49700 Asrmicro Classic Buffer Overflow vulnerability in Asrmicro Asr1803 Firmware and Asr1806 Firmware

Security best practices violations, a string operation in Streamingmedia will write past the end of fixed-size destination buffer if the source buffer is too large.

7.5
2023-11-30 CVE-2023-49087 Simplesamlphp Insufficient Verification of Data Authenticity vulnerability in Simplesamlphp Saml2 and Xml-Security

xml-security is a library that implements XML signatures and encryption.

7.5
2023-11-30 CVE-2023-35137 Zyxel Improper Authentication vulnerability in Zyxel Nas326 Firmware and Nas542 Firmware

An improper authentication vulnerability in the authentication module of the Zyxel NAS326 firmware version V5.21(AAZF.14)C0 and NAS542 firmware version V5.21(ABAG.11)C0 could allow an unauthenticated attacker to obtain system information by sending a crafted URL to a vulnerable device.

7.5
2023-11-29 CVE-2023-40458 Sierrawireless Infinite Loop vulnerability in Sierrawireless Aleos

Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in Sierra Wireless, Inc ALEOS could potentially allow a remote attacker to trigger a Denial of Service (DoS) condition for ACEManager without impairing other router functions.

7.5
2023-11-29 CVE-2022-42539 Google Unspecified vulnerability in Google Android

Information disclosure

7.5
2023-11-29 CVE-2023-48945 Openlinksw Out-of-bounds Write vulnerability in Openlinksw Virtuoso 7.2.11

A stack overflow in openlink virtuoso-opensource v7.2.11 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements.

7.5
2023-11-29 CVE-2023-48946 Openlinksw Unspecified vulnerability in Openlinksw Virtuoso 7.2.11

An issue in the box_mpy function of openlink virtuoso-opensource v7.2.11 allows attackers to cause a Denial of Service (DoS) after running a SELECT statement.

7.5
2023-11-29 CVE-2023-48947 Openlinksw Unspecified vulnerability in Openlinksw Virtuoso 7.2.11

An issue in the cha_cmp function of openlink virtuoso-opensource v7.2.11 allows attackers to cause a Denial of Service (DoS) after running a SELECT statement.

7.5
2023-11-29 CVE-2023-48948 Openlinksw Unspecified vulnerability in Openlinksw Virtuoso 7.2.11

An issue in the box_div function in openlink virtuoso-opensource v7.2.11 allows attackers to cause a Denial of Service (DoS) after running a SELECT statement.

7.5
2023-11-29 CVE-2023-48949 Openlinksw Unspecified vulnerability in Openlinksw Virtuoso 7.2.11

An issue in the box_add function in openlink virtuoso-opensource v7.2.11 allows attackers to cause a Denial of Service (DoS) after running a SELECT statement.

7.5
2023-11-29 CVE-2023-48950 Openlinksw Unspecified vulnerability in Openlinksw Virtuoso 7.2.11

An issue in the box_col_len function in openlink virtuoso-opensource v7.2.11 allows attackers to cause a Denial of Service (DoS) after running a SELECT statement.

7.5
2023-11-29 CVE-2023-48951 Openlinksw Unspecified vulnerability in Openlinksw Virtuoso 7.2.11

An issue in the box_equal function in openlink virtuoso-opensource v7.2.11 allows attackers to cause a Denial of Service (DoS) after running a SELECT statement.

7.5
2023-11-29 CVE-2023-48952 Openlinksw Deserialization of Untrusted Data vulnerability in Openlinksw Virtuoso 7.2.11

An issue in the box_deserialize_reusing function in openlink virtuoso-opensource v7.2.11 allows attackers to cause a Denial of Service (DoS) after running a SELECT statement.

7.5
2023-11-29 CVE-2023-49079 Misskey Improper Verification of Cryptographic Signature vulnerability in Misskey

Misskey is an open source, decentralized social media platform.

7.5
2023-11-29 CVE-2023-49083 Cryptography Project NULL Pointer Dereference vulnerability in Cryptography Project Cryptography

cryptography is a package designed to expose cryptographic primitives and recipes to Python developers.

7.5
2023-11-29 CVE-2023-40626 Joomla Unspecified vulnerability in Joomla Joomla!

The language file parsing process could be manipulated to expose environment variables.

7.5
2023-11-29 CVE-2023-6378 QOS Deserialization of Untrusted Data vulnerability in QOS Logback

A serialization vulnerability in logback receiver component part of logback version 1.4.11 allows an attacker to mount a Denial-Of-Service attack by sending poisoned data.

7.5
2023-11-29 CVE-2023-46887 Dreamer CMS Project Download of Code Without Integrity Check vulnerability in Dreamer CMS Project Dreamer CMS

In Dreamer CMS before 4.0.1, the backend attachment management office has an Arbitrary File Download vulnerability.

7.5
2023-11-29 CVE-2023-24294 Zumtobel Classic Buffer Overflow vulnerability in Zumtobel Netlink CCD Firmware 3.80

Zumtobel Netlink CCD Onboard v3.74 - Firmware v3.80 was discovered to contain a buffer overflow via the component NetlinkWeb::Information::SetDeviceIdentification.

7.5
2023-11-28 CVE-2023-30590 Nodejs Unspecified vulnerability in Nodejs Node.Js

The generateKeys() API function returned from crypto.createDiffieHellman() only generates missing (or outdated) keys, that is, it only generates a private key if none has been set yet, but the function is also needed to compute the corresponding public key after calling setPrivateKey().

7.5
2023-11-28 CVE-2023-48848 Ureport Project Path Traversal vulnerability in Ureport Project Ureport 2.2.9

An arbitrary file read vulnerability in ureport v2.2.9 allows a remote attacker to arbitrarily read files on the server by inserting a crafted path.

7.5
2023-11-28 CVE-2023-46589 Apache HTTP Request Smuggling vulnerability in Apache Tomcat

Improper Input Validation vulnerability in Apache Tomcat.Tomcat from 11.0.0-M1 through 11.0.0-M10, from 10.1.0-M1 through 10.1.15, from 9.0.0-M1 through 9.0.82 and from 8.5.0 through 8.5.95 did not correctly parse HTTP trailer headers.

7.5
2023-11-28 CVE-2023-49062 Facebook Improper Initialization vulnerability in Facebook Katran

Katran could disclose non-initialized kernel memory as part of an IP header.

7.5
2023-11-28 CVE-2023-6150 Eskom Improper Privilege Management vulnerability in Eskom E-Belediye 1.0.0.100/1.0.0.95

Improper Privilege Management vulnerability in ESKOM Computer e-municipality module allows Collect Data as Provided by Users.This issue affects e-municipality module: before v.105.

7.5
2023-11-28 CVE-2023-6151 Eskom Improper Privilege Management vulnerability in Eskom E-Belediye 1.0.0.100/1.0.0.95

Improper Privilege Management vulnerability in ESKOM Computer e-municipality module allows Collect Data as Provided by Users.This issue affects e-municipality module: before v.105.

7.5
2023-11-28 CVE-2023-34053 Vmware Unspecified vulnerability in VMWare Spring Framework

In Spring Framework versions 6.0.0 - 6.0.13, it is possible for a user to provide specially crafted HTTP requests that may cause a denial-of-service (DoS) condition. Specifically, an application is vulnerable when all of the following are true: * the application uses Spring MVC or Spring WebFlux * io.micrometer:micrometer-core is on the classpath * an ObservationRegistry is configured in the application to record observations Typically, Spring Boot applications need the org.springframework.boot:spring-boot-actuator dependency to meet all conditions.

7.5
2023-11-28 CVE-2023-34054 Pivotal Unspecified vulnerability in Pivotal Reactor Netty

In Reactor Netty HTTP Server, versions 1.1.x prior to 1.1.13 and versions 1.0.x prior to 1.0.39, it is possible for a user to provide specially crafted HTTP requests that may cause a denial-of-service (DoS) condition. Specifically, an application is vulnerable if Reactor Netty HTTP Server built-in integration with Micrometer is enabled.

7.5
2023-11-28 CVE-2023-30585 Nodejs Unspecified vulnerability in Nodejs Node.Js

A vulnerability has been identified in the Node.js (.msi version) installation process, specifically affecting Windows users who install Node.js using the .msi installer.

7.5
2023-11-28 CVE-2023-4398 Zyxel Integer Overflow or Wraparound vulnerability in Zyxel ZLD

An integer overflow vulnerability in the source code of the QuickSec IPSec toolkit used in the VPN feature of the Zyxel ATP series firmware versions 4.32 through 5.37, USG FLEX series firmware versions 4.50 through 5.37, USG FLEX 50(W) series firmware versions 4.16 through 5.37, USG20(W)-VPN series firmware versions 4.16 through 5.37, and VPN series firmware versions 4.30 through 5.37, could allow an unauthenticated attacker to cause denial-of-service (DoS) conditions on an affected device by sending a crafted IKE packet.

7.5
2023-11-27 CVE-2023-49030 32Ns SQL Injection vulnerability in 32Ns Klive 20190119

SQL Injection vulnerability in32ns KLive v.2019-1-19 and before allows a remote attacker to obtain sensitive information via a crafted script to the web/user.php component.

7.5
2023-11-27 CVE-2023-49316 Phpseclib Excessive Iteration vulnerability in PHPseclib

In Math/BinaryField.php in phpseclib 3 before 3.0.34, excessively large degrees can lead to a denial of service.

7.5
2023-11-27 CVE-2023-49047 Tenda Out-of-bounds Write vulnerability in Tenda Ax1803 Firmware 1.0.0.1

Tenda AX1803 v1.0.0.1 contains a stack overflow via the devName parameter in the function formSetDeviceName.

7.5
2023-11-27 CVE-2023-5239 Cleantalk Unspecified vulnerability in Cleantalk Security & Malware Scan

The Security & Malware scan by CleanTalk WordPress plugin before 2.121 retrieves client IP addresses from potentially untrusted headers, allowing an attacker to manipulate its value.

7.5
2023-11-27 CVE-2023-5906 Themehigh Unspecified vulnerability in Themehigh JOB Manager & Career

The Job Manager & Career WordPress plugin before 1.4.4 contains a vulnerability in the Directory Listings system, which allows an unauthorized user to view and download private files of other users.

7.5
2023-11-27 CVE-2023-40703 Mattermost Resource Exhaustion vulnerability in Mattermost

Mattermost fails to properly limit the characters allowed in different fields of a block in Mattermost Boards allowing a attacker to consume excessive resources, possibly leading to Denial of Service, by patching the field of a block using a specially crafted string. 

7.5
2023-11-27 CVE-2023-48268 Mattermost Resource Exhaustion vulnerability in Mattermost

Mattermost fails to limit the amount of data extracted from compressed archives during board import in Mattermost Boards allowing an attacker to consume excessive resources, possibly leading to Denial of Service, by importing a board using a specially crafted zip (zip bomb).

7.5
2023-11-27 CVE-2023-49068 Apache Unspecified vulnerability in Apache Dolphinscheduler

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache DolphinScheduler.This issue affects Apache DolphinScheduler: before 3.2.1. Users are recommended to upgrade to version 3.2.1, which fixes the issue.

7.5
2023-11-27 CVE-2023-6254 Otrs Insufficiently Protected Credentials vulnerability in Otrs

A Vulnerability in OTRS AgentInterface and ExternalInterface allows the reading of plain text passwords which are send back to the client in the server response- This issue affects OTRS: from 8.0.X through 8.0.37.

7.5
2023-11-27 CVE-2023-49322 F Secure Unspecified vulnerability in F-Secure products

Certain WithSecure products allow a Denial of Service because there is an unpack handler crash that can lead to a scanning engine crash.

7.5
2023-12-01 CVE-2023-6449 Rocklobster Unrestricted Upload of File with Dangerous Type vulnerability in Rocklobster Contact Form 7

The Contact Form 7 plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in the 'validate' function and insufficient blocklisting on the 'wpcf7_antiscript_file_name' function in versions up to, and including, 5.8.3.

7.2
2023-11-30 CVE-2023-46956 Oretnom23 SQL Injection vulnerability in Oretnom23 Packers and Movers Management System 1.0

SQL injection vulnerability in Packers and Movers Management System v.1.0 allows a remote attacker to execute arbitrary code via crafted payload to the /mpms/admin/?page=user/manage_user&id file.

7.2
2023-11-30 CVE-2023-48742 Wpexperts SQL Injection vulnerability in Wpexperts License Manager for Woocommerce

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in LicenseManager License Manager for WooCommerce license-manager-for-woocommerce allows SQL Injection.This issue affects License Manager for WooCommerce: from n/a through 2.2.10.

7.2
2023-11-30 CVE-2023-5965 Espocrm Unrestricted Upload of File with Dangerous Type vulnerability in Espocrm

An authenticated privileged attacker could upload a specially crafted zip to the EspoCRM server in version 7.2.5, via the update form, which could lead to arbitrary PHP code execution.

7.2
2023-11-30 CVE-2023-5966 Espocrm Unrestricted Upload of File with Dangerous Type vulnerability in Espocrm

An authenticated privileged attacker could upload a specially crafted zip to the EspoCRM server in version 7.2.5, via the extension deployment form, which could lead to arbitrary PHP code execution.

7.2
2023-11-30 CVE-2023-6071 Trellix Command Injection vulnerability in Trellix Enterprise Security Manager 11.6.8

An Improper Neutralization of Special Elements used in a command vulnerability in ESM prior to version 11.6.9 allows a remote administrator to execute arbitrary code as root on the ESM.

7.2
2023-11-29 CVE-2023-6218 Progress Improper Privilege Management vulnerability in Progress Moveit Transfer

In Progress MOVEit Transfer versions released before 2022.0.9 (14.0.9), 2022.1.10 (14.1.10), 2023.0.7 (15.0.7), a privilege escalation path associated with group administrators has been identified.  It is possible for a group administrator to elevate a group members permissions to the role of an organization administrator.

7.2
2023-11-28 CVE-2023-49075 Pimcore Use of Single-factor Authentication vulnerability in Pimcore Admin Classic Bundle

The Admin Classic Bundle provides a Backend UI for Pimcore.

7.2
2023-11-28 CVE-2023-6219 Reputeinfosystems Unrestricted Upload of File with Dangerous Type vulnerability in Reputeinfosystems Bookingpress

The BookingPress plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file validation on the 'bookingpress_process_upload' function in versions up to, and including, 1.0.76.

7.2
2023-11-27 CVE-2023-5607 Trellix Path Traversal vulnerability in Trellix Application and Change Control

An improper limitation of a path name to a restricted directory (path traversal) vulnerability in the TACC ePO extension, for on-premises ePO servers, prior to version 8.4.0 could lead to an authorised administrator attacker executing arbitrary code through uploading a specially crafted GTI reputation file.

7.2
2023-11-27 CVE-2023-6312 Razormist SQL Injection vulnerability in Razormist Loan Management System 1.0

A vulnerability was found in SourceCodester Loan Management System 1.0.

7.2
2023-11-27 CVE-2023-6310 Razormist SQL Injection vulnerability in Razormist Loan Management System 1.0

A vulnerability has been found in SourceCodester Loan Management System 1.0 and classified as critical.

7.2
2023-11-27 CVE-2023-6311 Razormist SQL Injection vulnerability in Razormist Loan Management System 1.0

A vulnerability was found in SourceCodester Loan Management System 1.0 and classified as critical.

7.2
2023-11-27 CVE-2023-6302 Cskaza Permission Issues vulnerability in Cskaza Cszcms 1.3.0

A vulnerability was found in CSZCMS 1.3.0 and classified as critical.

7.2
2023-12-01 CVE-2023-44402 Electronjs Insufficient Verification of Data Authenticity vulnerability in Electronjs Electron

Electron is an open source framework for writing cross-platform desktop applications using JavaScript, HTML and CSS.

7.0

218 Medium Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2023-12-01 CVE-2023-28895 Preh Use of Hard-coded Credentials vulnerability in Preh Mib3 Firmware

The password for access to the debugging console of the PoWer Controller chip (PWC) of the MIB3 infotainment is hard-coded in the firmware.

6.8
2023-11-28 CVE-2023-24023 Bluetooth Unspecified vulnerability in Bluetooth Core Specification

Bluetooth BR/EDR devices with Secure Simple Pairing and Secure Connections pairing in Bluetooth Core Specification 4.2 through 5.4 allow certain man-in-the-middle attacks that force a short key length, and might lead to discovery of the encryption key and live injection, aka BLUFFS.

6.8
2023-12-03 CVE-2023-6474 Phpgurukul Cross-Site Request Forgery (CSRF) vulnerability in PHPgurukul Nipah Virus Testing Management System 1.0

A vulnerability has been found in PHPGurukul Nipah Virus Testing Management System 1.0 and classified as problematic.

6.5
2023-12-02 CVE-2023-49914 Choosemuse Unspecified vulnerability in Choosemuse Muse 2 Firmware

InteraXon Muse 2 devices allow remote attackers to cause a denial of service (incorrect Muse App report of an outstanding, calm meditation state) via a 480 MHz RF carrier that is modulated by a "false" brain wave, aka a Brain-Hack attack.

6.5
2023-12-01 CVE-2023-26024 IBM Use of a Broken or Risky Cryptographic Algorithm vulnerability in IBM Planning Analytics on Cloud PAK for Data 4.0

IBM Planning Analytics on Cloud Pak for Data 4.0 could allow an attacker on a shared network to obtain sensitive information caused by insecure network communication.

6.5
2023-12-01 CVE-2023-4912 Gitlab Unspecified vulnerability in Gitlab

An issue has been discovered in GitLab EE affecting all versions starting from 10.5 before 16.4.3, all versions starting from 16.5 before 16.5.3, all versions starting from 16.6 before 16.6.1.

6.5
2023-11-30 CVE-2023-42916 Apple Out-of-bounds Read vulnerability in Apple products

An out-of-bounds read was addressed with improved input validation.

6.5
2023-11-30 CVE-2023-48894 Huaxiaerp Unspecified vulnerability in Huaxiaerp Jsherp 3.3

Incorrect Access Control vulnerability in jshERP V3.3 allows attackers to obtain sensitive information via the doFilter function.

6.5
2023-11-30 CVE-2023-34389 Selinc Allocation of Resources Without Limits or Throttling vulnerability in Selinc Sel-451 Firmware

An allocation of resources without limits or throttling vulnerability in the Schweitzer Engineering Laboratories SEL-451 could allow a remote authenticated attacker to make the system unavailable for an indefinite amount of time. See product Instruction Manual Appendix A dated 20230830 for more details.

6.5
2023-11-30 CVE-2023-34390 Selinc Unspecified vulnerability in Selinc Sel-451 Firmware

An input validation vulnerability in the Schweitzer Engineering Laboratories SEL-451 could allow a remote authenticated attacker to create a denial of service against the system and locking out services. See product Instruction Manual Appendix A dated 20230830 for more details.

6.5
2023-11-30 CVE-2023-26533 Gesundheit Bewegt Unspecified vulnerability in Gesundheit-Bewegt Zippy

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Gesundheit Bewegt GmbH Zippy.This issue affects Zippy: from n/a through 1.6.1.

6.5
2023-11-30 CVE-2023-37868 Leap13 Unspecified vulnerability in Leap13 Premium Addons

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Leap13 Premium Addons PRO.This issue affects Premium Addons PRO: from n/a through 2.9.0.

6.5
2023-11-30 CVE-2023-48333 Booster Unspecified vulnerability in Booster for Woocommerce

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Pluggabl LLC Booster for WooCommerce.This issue affects Booster for WooCommerce: from n/a through 7.1.1.

6.5
2023-11-30 CVE-2023-49620 Apache Missing Authorization vulnerability in Apache Dolphinscheduler

Before DolphinScheduler version 3.1.0, the login user could delete UDF function in the resource center unauthorized (which almost used in sql task), with unauthorized access vulnerability (IDOR), but after version 3.1.0 we fixed this issue.

6.5
2023-11-30 CVE-2023-49076 Pimcore Cross-Site Request Forgery (CSRF) vulnerability in Pimcore

Customer-data-framework allows management of customer data within Pimcore.

6.5
2023-11-29 CVE-2023-49653 Jenkins Insufficiently Protected Credentials vulnerability in Jenkins Jira

Jenkins Jira Plugin 3.11 and earlier does not set the appropriate context for credentials lookup, allowing attackers with Item/Configure permission to access and capture credentials they are not entitled to.

6.5
2023-11-28 CVE-2023-42504 Apache Allocation of Resources Without Limits or Throttling vulnerability in Apache Superset

An authenticated malicious user could initiate multiple concurrent requests, each requesting multiple dashboard exports, leading to a possible denial of service. This issue affects Apache Superset: before 3.0.0

6.5
2023-11-28 CVE-2023-34055 Vmware Unspecified vulnerability in VMWare Spring Boot

In Spring Boot versions 2.7.0 - 2.7.17, 3.0.0-3.0.12 and 3.1.0-3.1.5, it is possible for a user to provide specially crafted HTTP requests that may cause a denial-of-service (DoS) condition. Specifically, an application is vulnerable when all of the following are true: * the application uses Spring MVC or Spring WebFlux * org.springframework.boot:spring-boot-actuator is on the classpath

6.5
2023-11-27 CVE-2023-5885 Franklinfueling Path Traversal vulnerability in Franklinfueling Colibri Firmware

The discontinued FFS Colibri product allows a remote user to access files on the system including files containing login credentials for other users.

6.5
2023-12-03 CVE-2022-4957 Librespeed Cross-site Scripting vulnerability in Librespeed Speedtest

A vulnerability was found in librespeed speedtest up to 5.2.4.

6.1
2023-12-03 CVE-2023-49926 Misp Cross-site Scripting vulnerability in Misp

app/Lib/Tools/EventTimelineTool.php in MISP before 2.4.179 allows XSS in the event timeline widget.

6.1
2023-12-02 CVE-2023-6466 Thecosy Cross-site Scripting vulnerability in Thecosy Icecms 2.0.1

A vulnerability was found in Thecosy IceCMS 2.0.1.

6.1
2023-12-02 CVE-2023-6465 Phpgurukul Cross-site Scripting vulnerability in PHPgurukul Nipah Virus Testing Management System 1.0

A vulnerability was found in PHPGurukul Nipah Virus Testing Management System 1.0.

6.1
2023-12-01 CVE-2023-48314 Collaboraoffice Cross-site Scripting vulnerability in Collaboraoffice Collabora Online

Collabora Online is a collaborative online office suite based on LibreOffice technology.

6.1
2023-12-01 CVE-2023-49276 Uptime Kuma Cross-site Scripting vulnerability in Uptime.Kuma Uptime Kuma

Uptime Kuma is an open source self-hosted monitoring tool.

6.1
2023-12-01 CVE-2023-49281 Cainor Open Redirect vulnerability in Cainor Calendarinho

Calendarinho is an open source calendaring application to manage large teams of consultants.

6.1
2023-12-01 CVE-2023-6462 Remyandrade Cross-site Scripting vulnerability in Remyandrade User Registration and Login System 1.0

A vulnerability, which was classified as problematic, was found in SourceCodester User Registration and Login System 1.0.

6.1
2023-12-01 CVE-2023-49277 Darrennathanael Cross-site Scripting vulnerability in Darrennathanael Dpaste

dpaste is an open source pastebin application written in Python using the Django framework.

6.1
2023-12-01 CVE-2023-6461 Viliusle Cross-site Scripting vulnerability in Viliusle Minipaint

Cross-site Scripting (XSS) - Reflected in GitHub repository viliusle/minipaint prior to 4.14.0.

6.1
2023-11-30 CVE-2023-6439 Easycorp Cross-site Scripting vulnerability in Easycorp Zentao 18.8

A vulnerability classified as problematic was found in ZenTao PMS 18.8.

6.1
2023-11-30 CVE-2023-2265 Selinc Improper Restriction of Rendered UI Layers or Frames vulnerability in Selinc Sel-411L Firmware

An Improper Restriction of Rendered UI Layers or Frames in the Schweitzer Engineering Laboratories SEL-411L could allow an unauthenticated attacker to perform clickjacking based attacks against an authenticated and authorized user. See product Instruction Manual Appendix A dated 20230830 for more details.

6.1
2023-11-30 CVE-2023-2266 Selinc Cross-site Scripting vulnerability in Selinc Sel-411L Firmware

An Improper neutralization of input during web page generation in the Schweitzer Engineering Laboratories SEL-411L could allow an attacker to generate cross-site scripting based attacks against an authorized and authenticated user. See product Instruction Manual Appendix A dated 20230830 for more details.

6.1
2023-11-30 CVE-2023-31177 Selinc Cross-site Scripting vulnerability in Selinc Sel-451 Firmware

An Improper Neutralization of Input During Web Page Generation  ('Cross-site Scripting') in the Schweitzer Engineering Laboratories SEL-451 could allow an attacker to craft a link that could execute arbitrary code on a victim's system. See product Instruction Manual Appendix A dated 20230830 for more details.

6.1
2023-11-30 CVE-2023-38400 Kriesi Cross-site Scripting vulnerability in Kriesi Enfold

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Kriesi Enfold - Responsive Multi-Purpose Theme allows Reflected XSS.This issue affects Enfold - Responsive Multi-Purpose Theme: from n/a through 5.6.4.

6.1
2023-11-30 CVE-2023-47521 Q2W3 Cross-site Scripting vulnerability in Q2W3 Post Order

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Max Bond, AndreSC Q2W3 Post Order allows Reflected XSS.This issue affects Q2W3 Post Order: from n/a through 1.2.8.

6.1
2023-11-30 CVE-2023-47844 Neobie Cross-site Scripting vulnerability in Neobie Grab & Save

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Lim Kai Yang Grab & Save allows Reflected XSS.This issue affects Grab & Save: from n/a through 1.0.4.

6.1
2023-11-30 CVE-2023-47848 Tainacan Cross-site Scripting vulnerability in Tainacan

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Tainacan.Org Tainacan allows Reflected XSS.This issue affects Tainacan: from n/a through 0.20.4.

6.1
2023-11-30 CVE-2023-47876 Perfmatters Cross-site Scripting vulnerability in Perfmatters

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Perfmatters allows Reflected XSS.This issue affects Perfmatters: from n/a through 2.1.6.

6.1
2023-11-30 CVE-2023-48272 Wpmaspik Cross-site Scripting vulnerability in Wpmaspik Maspik 0.7.8

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in yonifre Maspik – Spam Blacklist allows Stored XSS.This issue affects Maspik – Spam Blacklist: from n/a through 0.9.2.

6.1
2023-11-30 CVE-2023-48278 Nitinrathod Cross-Site Request Forgery (CSRF) vulnerability in Nitinrathod WP Forms Puzzle Captcha 4.1

Cross-Site Request Forgery (CSRF) vulnerability in Nitin Rathod WP Forms Puzzle Captcha allows Stored XSS.This issue affects WP Forms Puzzle Captcha: from n/a through 4.1.

6.1
2023-11-30 CVE-2023-48746 Peepso Cross-site Scripting vulnerability in Peepso

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in PeepSo Community by PeepSo – Social Network, Membership, Registration, User Profiles allows Reflected XSS.This issue affects Community by PeepSo – Social Network, Membership, Registration, User Profiles: from n/a through 6.2.6.0.

6.1
2023-11-30 CVE-2023-48748 Themenectar Cross-site Scripting vulnerability in Themenectar Salient Core

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Theme nectar Salient Core allows Reflected XSS.This issue affects Salient Core: from n/a through 2.0.2.

6.1
2023-11-30 CVE-2023-48752 Happyforms Cross-site Scripting vulnerability in Happyforms

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Happyforms Form builder to get in touch with visitors, grow your email list and collect payments — Happyforms allows Reflected XSS.This issue affects Form builder to get in touch with visitors, grow your email list and collect payments — Happyforms: from n/a through 1.25.9.

6.1
2023-11-30 CVE-2023-46086 Servit Cross-site Scripting vulnerability in Servit Affiliate-Toolkit

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in SERVIT Software Solutions affiliate-toolkit – WordPress Affiliate Plugin allows Reflected XSS.This issue affects affiliate-toolkit – WordPress Affiliate Plugin: from n/a through 3.4.3.

6.1
2023-11-30 CVE-2023-6419 Aatifaneeq Cross-site Scripting vulnerability in Aatifaneeq Voovi 1.0

A vulnerability has been reported in Voovi Social Networking Script version 1.0 that allows a XSS via editprofile.php in multiple parameters, the exploitation of which could allow a remote attacker to send a specially crafted JavaScript payload and partially take over the browser session of an authenticated user.

6.1
2023-11-30 CVE-2023-6420 Aatifaneeq Cross-site Scripting vulnerability in Aatifaneeq Voovi 1.0

A vulnerability has been reported in Voovi Social Networking Script version 1.0 that allows a XSS via signup2.php in the emailadd parameter, the exploitation of which could allow a remote attacker to send a specially crafted JavaScript payload and partially take over the browser session of an authenticated user.

6.1
2023-11-30 CVE-2023-38474 Campaignmonitor Cross-site Scripting vulnerability in Campaignmonitor Campaign Monitor

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Campaign Monitor Campaign Monitor for WordPress allows Reflected XSS.This issue affects Campaign Monitor for WordPress: from n/a through 2.8.12.

6.1
2023-11-30 CVE-2023-48322 Edocintelligence Cross-site Scripting vulnerability in Edocintelligence Employee JOB Application

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in eDoc Intelligence eDoc Employee Job Application – Best WordPress Job Manager for Employees allows Reflected XSS.This issue affects eDoc Employee Job Application – Best WordPress Job Manager for Employees: from n/a through 1.13.

6.1
2023-11-30 CVE-2023-48326 WP Events Plugin Cross-site Scripting vulnerability in Wp-Events-Plugin Events Manager

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Pixelite Events Manager allows Reflected XSS.This issue affects Events Manager: from n/a through 6.4.5.

6.1
2023-11-30 CVE-2023-48743 Codehooligans Cross-site Scripting vulnerability in Codehooligans Simply Exclude 2.0.6.6

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Paul Menard Simply Exclude allows Reflected XSS.This issue affects Simply Exclude: from n/a through 2.0.6.6.

6.1
2023-11-30 CVE-2021-36806 Sophos Cross-site Scripting vulnerability in Sophos Email Appliance

A reflected XSS vulnerability allows an open redirect when the victim clicks a malicious link to an error page on Sophos Email Appliance older than version 4.5.3.4.

6.1
2023-11-30 CVE-2023-49077 Mailcow Cross-site Scripting vulnerability in Mailcow Mailcow: Dockerized

Mailcow: dockerized is an open source groupware/email suite based on docker.

6.1
2023-11-29 CVE-2023-6217 Progress Cross-site Scripting vulnerability in Progress Moveit Transfer

In Progress MOVEit Transfer versions released before 2022.0.9 (14.0.9), 2022.1.10 (14.1.10), 2023.0.7 (15.0.7), a reflected cross-site scripting (XSS) vulnerability has been identified when MOVEit Gateway is used in conjunction with MOVEit Transfer.  An attacker could craft a malicious payload targeting the system which comprises a MOVEit Gateway and MOVEit Transfer deployment.

6.1
2023-11-29 CVE-2023-49090 Carrierwave Project Cross-site Scripting vulnerability in Carrierwave Project Carrierwave

CarrierWave is a solution for file uploads for Rails, Sinatra and other Ruby web frameworks.

6.1
2023-11-28 CVE-2023-49078 Zediious Cross-site Scripting vulnerability in Zediious Raptor-Web 0.4.4

raptor-web is a CMS for game server communities that can be used to host information and keep track of players.

6.1
2023-11-28 CVE-2023-48042 Communitydeveloper Cross-site Scripting vulnerability in Communitydeveloper Amazzing Filter

Cross Site Scripting (XSS) in Search filters in Prestashop Amazzing filter version up to version 3.2.5, allows remote attackers to inject arbitrary JavaScript code.

6.1
2023-11-28 CVE-2023-6359 Grupoalumne Cross-site Scripting vulnerability in Grupoalumne Alumne LMS 4.0.0.1.08

A Cross-Site Scripting (XSS) vulnerability has been found in Alumne LMS affecting version 4.0.0.1.08.

6.1
2023-11-28 CVE-2023-4220 Chamilo Unrestricted Upload of File with Dangerous Type vulnerability in Chamilo LMS

Unrestricted file upload in big file upload functionality in `/main/inc/lib/javascript/bigupload/inc/bigUpload.php` in Chamilo LMS <= v1.11.24 allows unauthenticated attackers to perform stored cross-site scripting attacks and obtain remote code execution via uploading of web shell.

6.1
2023-11-28 CVE-2023-35139 Zyxel Cross-site Scripting vulnerability in Zyxel ZLD 5.00/5.10/5.37

A cross-site scripting (XSS) vulnerability in the CGI program of the Zyxel ATP series firmware versions 5.10 through 5.37, USG FLEX series firmware versions 5.00 through 5.37, USG FLEX 50(W) series firmware versions 5.10 through 5.37, USG20(W)-VPN series firmware versions 5.10 through 5.37, and VPN series firmware versions 5.00 through 5.37, could allow an unauthenticated LAN-based attacker to store malicious scripts in a vulnerable device.

6.1
2023-11-27 CVE-2023-48034 Acer Inadequate Encryption Strength vulnerability in Acer Sk-9662 Firmware

An issue discovered in Acer Wireless Keyboard SK-9662 allows attacker in physical proximity to both decrypt wireless keystrokes and inject arbitrary keystrokes via use of weak encryption.

6.1
2023-11-27 CVE-2023-5325 Levantoan Cross-site Scripting vulnerability in Levantoan Woocommerce Vietnam Checkout

The Woocommerce Vietnam Checkout WordPress plugin before 2.0.6 does not escape the custom shipping phone field no the checkout form leading to XSS

6.1
2023-11-27 CVE-2023-5560 Lesterchan Cross-site Scripting vulnerability in Lesterchan Wp-Useronline

The WP-UserOnline WordPress plugin before 2.88.3 does not sanitise and escape the X-Forwarded-For header before outputting its content on the page, which allows unauthenticated users to perform Cross-Site Scripting attacks.

6.1
2023-11-27 CVE-2023-5641 Martinstools Cross-site Scripting vulnerability in Martinstools Free & Easy Link Building

The Martins Free & Easy SEO BackLink Link Building Network WordPress plugin before 1.2.30 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin

6.1
2023-11-27 CVE-2023-5653 Wassup Real Time Analytics Project Cross-site Scripting vulnerability in Wassup Real Time Analytics Project Wassup Real Time Analytics

The WassUp Real Time Analytics WordPress plugin through 1.9.4.5 does not escape IP address provided via some headers before outputting them back in an admin page, allowing unauthenticated users to perform Stored XSS attacks against logged in admins

6.1
2023-11-27 CVE-2023-5958 Wpexperts Cross-site Scripting vulnerability in Wpexperts Post Smtp Mailer

The POST SMTP Mailer WordPress plugin before 2.7.1 does not escape email message content before displaying it in the backend, allowing an unauthenticated attacker to perform XSS attacks against highly privileged users.

6.1
2023-11-27 CVE-2023-49029 Smpn1Smg Cross-site Scripting vulnerability in Smpn1Smg Absis

Cross Site Scripting vulnerability in smpn1smg absis v.2017-10-19 and before allows a remote attacker to execute arbitrary code via the nama parameter in the lock/lock.php file.

6.1
2023-11-27 CVE-2023-47168 Mattermost Open Redirect vulnerability in Mattermost

Mattermost fails to properly check a redirect URL parameter allowing for an open redirect was possible when the user clicked "Back to Mattermost" after providing a invalid custom url scheme in /oauth/{service}/mobile_login?redirect_to=

6.1
2023-11-27 CVE-2023-6313 URL Shortener Project Cross-site Scripting vulnerability in URL Shortener Project URL Shortener 1.0

A vulnerability was found in SourceCodester URL Shortener 1.0.

6.1
2023-11-27 CVE-2023-6300 Mayurik Cross-site Scripting vulnerability in Mayurik Best Courier Management System 1.0

A vulnerability, which was classified as problematic, was found in SourceCodester Best Courier Management System 1.0.

6.1
2023-11-27 CVE-2023-6301 Mayurik Cross-site Scripting vulnerability in Mayurik Best Courier Management System 1.0

A vulnerability has been found in SourceCodester Best Courier Management System 1.0 and classified as problematic.

6.1
2023-12-01 CVE-2023-42019 IBM Missing Encryption of Sensitive Data vulnerability in IBM Infosphere Information Server 11.7.1

IBM InfoSphere Information Server 11.7 could allow a remote attacker to cause a denial of service due to improper input validation.

5.9
2023-11-28 CVE-2023-49092 Rustcrypto Information Exposure Through Discrepancy vulnerability in Rustcrypto RSA

RustCrypto/RSA is a portable RSA implementation in pure Rust.

5.9
2023-11-28 CVE-2023-45286 Resty Project Race Condition vulnerability in Resty Project Resty 0.9.2

A race condition in go-resty can result in HTTP request body disclosure across requests.

5.9
2023-11-28 CVE-2023-5981 GNU
Redhat
Fedoraproject
Information Exposure Through Discrepancy vulnerability in multiple products

A vulnerability was found that the response times to malformed ciphertexts in RSA-PSK ClientKeyExchange differ from response times of ciphertexts with correct PKCS#1 v1.5 padding.

5.9
2023-11-27 CVE-2023-4642 Kamalkhan Race Condition vulnerability in Kamalkhan KK Star Ratings

The kk Star Ratings WordPress plugin before 5.4.6 does not implement atomic operations, allowing one user vote multiple times on a poll due to a Race Condition.

5.9
2023-11-28 CVE-2023-32065 Oroinc Improper Access Control vulnerability in Oroinc Orocommerce

OroCommerce is an open-source Business to Business Commerce application built with flexibility in mind.

5.8
2023-11-28 CVE-2023-29060 BD Missing Authentication for Critical Function vulnerability in BD Facschorus

The FACSChorus workstation operating system does not restrict what devices can interact with its USB ports.

5.7
2023-12-01 CVE-2023-42006 IBM Incorrect Authorization vulnerability in IBM I

IBM Administration Runtime Expert for i 7.2, 7.3, 7.4, and 7.5 could allow a local user to obtain sensitive information caused by improper authority checks.

5.5
2023-11-28 CVE-2023-5797 Zyxel Improper Privilege Management vulnerability in Zyxel products

An improper privilege management vulnerability in the debug CLI command of the Zyxel ATP series firmware versions 4.32 through 5.37, USG FLEX series firmware versions 4.50 through 5.37, USG FLEX 50(W) series firmware versions 4.16 through 5.37, USG20(W)-VPN series firmware versions 4.16 through 5.37, VPN series firmware versions 4.30 through 5.37, NWA50AX firmware version 6.29(ABYW.2), WAC500 firmware version 6.65(ABVS.1), WAX300H firmware version 6.60(ACHF.1), and WBE660S firmware version 6.65(ACGG.1), could allow an authenticated local attacker to access the administrator’s logs on an affected device.

5.5
2023-11-28 CVE-2023-5960 Zyxel Improper Privilege Management vulnerability in Zyxel ZLD

An improper privilege management vulnerability in the hotspot feature of the Zyxel USG FLEX series firmware versions 4.50 through 5.37 and VPN series firmware versions 4.30 through 5.37 could allow an authenticated local attacker to access the system files on an affected device.

5.5
2023-11-28 CVE-2023-35136 Zyxel Improper Input Validation vulnerability in Zyxel ZLD

An improper input validation vulnerability in the “Quagga” package of the Zyxel ATP series firmware versions 4.32 through 5.37, USG FLEX series firmware versions 4.50 through 5.37, USG FLEX 50(W) series firmware versions 4.16 through 5.37, USG20(W)-VPN series firmware versions 4.16 through 5.37, and VPN series firmware versions 4.30 through 5.37, could allow an authenticated local attacker to access configuration files on an affected device.

5.5
2023-11-28 CVE-2023-37925 Zyxel Improper Privilege Management vulnerability in Zyxel products

An improper privilege management vulnerability in the debug CLI command of the Zyxel ATP series firmware versions 4.32 through 5.37, USG FLEX series firmware versions 4.50 through 5.37, USG FLEX 50(W) series firmware versions 4.16 through 5.37, USG20(W)-VPN series firmware versions 4.16 through 5.37, VPN series firmware versions 4.30 through 5.37, NWA50AX firmware version 6.29(ABYW.2), WAC500 firmware version 6.65(ABVS.1), WAX300H firmware version 6.60(ACHF.1), and WBE660S firmware version 6.65(ACGG.1), could allow an authenticated local attacker to access system files on an affected device.

5.5
2023-11-28 CVE-2023-37926 Zyxel Classic Buffer Overflow vulnerability in Zyxel ZLD

A buffer overflow vulnerability in the Zyxel ATP series firmware versions 4.32 through 5.37, USG FLEX series firmware versions 4.50 through 5.37, USG FLEX 50(W) series firmware versions 4.16 through 5.37, USG20(W)-VPN series firmware versions 4.16 through 5.37, and VPN series firmware versions 4.30 through 5.37, could allow an authenticated local attacker to cause denial-of-service (DoS) conditions by executing the CLI command to dump system logs on an affected device.

5.5
2023-11-28 CVE-2023-5650 Zyxel Improper Privilege Management vulnerability in Zyxel ZLD

An improper privilege management vulnerability in the ZySH of the Zyxel ATP series firmware versions 4.32 through 5.37, USG FLEX series firmware versions 4.50 through 5.37, USG FLEX 50(W) series firmware versions 4.16 through 5.37, USG20(W)-VPN series firmware versions 4.16 through 5.37, and VPN series firmware versions 4.30 through 5.37, could allow an authenticated local attacker to modify the URL of the registration page in the web GUI of an affected device.

5.5
2023-11-27 CVE-2023-42364 Busybox Use After Free vulnerability in Busybox 1.36.1

A use-after-free vulnerability in BusyBox v.1.36.1 allows attackers to cause a denial of service via a crafted awk pattern in the awk.c evaluate function.

5.5
2023-11-27 CVE-2023-42365 Busybox Use After Free vulnerability in Busybox 1.36.1

A use-after-free vulnerability was discovered in BusyBox v.1.36.1 via a crafted awk pattern in the awk.c copyvar function.

5.5
2023-11-27 CVE-2023-42366 Busybox Out-of-bounds Write vulnerability in Busybox 1.36.1

A heap-buffer-overflow was discovered in BusyBox v.1.36.1 in the next_token function at awk.c:1159.

5.5
2023-11-27 CVE-2023-42363 Busybox Use After Free vulnerability in Busybox 1.36.1

A use-after-free vulnerability was discovered in xasprintf function in xfuncs_printf.c:344 in BusyBox v.1.36.1.

5.5
2023-11-27 CVE-2023-6287 Tribe29 Information Exposure Through Log Files vulnerability in Tribe29 Checkmk Appliance Firmware

Sensitive data exposure in Webconf in Tribe29 Checkmk Appliance before 1.6.8 allows local attacker to retrieve passwords via reading log files.

5.5
2023-11-27 CVE-2023-25632 Naver Unspecified vulnerability in Naver Whale Browser

The Android Mobile Whale browser app before 3.0.1.2 allows the attacker to bypass its browser unlock function via 'Open in Whale' feature.

5.5
2023-12-02 CVE-2023-6473 Remyandrade Cross-site Scripting vulnerability in Remyandrade Online Quiz System 1.0

A vulnerability, which was classified as problematic, was found in SourceCodester Online Quiz System 1.0.

5.4
2023-12-01 CVE-2023-6463 Remyandrade Cross-site Scripting vulnerability in Remyandrade User Registration and Login System 1.0

A vulnerability has been found in SourceCodester User Registration and Login System 1.0 and classified as problematic.

5.4
2023-12-01 CVE-2023-42009 IBM Cross-site Scripting vulnerability in IBM Infosphere Information Server 11.7.1

IBM InfoSphere Information Server 11.7 is vulnerable to cross-site scripting.

5.4
2023-12-01 CVE-2023-42022 IBM Cross-site Scripting vulnerability in IBM Infosphere Information Server 11.7.1

IBM InfoSphere Information Server 11.7 is vulnerable to cross-site scripting.

5.4
2023-12-01 CVE-2023-46174 IBM Cross-site Scripting vulnerability in IBM Infosphere Information Server 11.7.1

IBM InfoSphere Information Server 11.7 is vulnerable to cross-site scripting.

5.4
2023-12-01 CVE-2023-43015 IBM Cross-site Scripting vulnerability in IBM Infosphere Information Server 11.7.1

IBM InfoSphere Information Server 11.7 is vulnerable to cross-site scripting.

5.4
2023-12-01 CVE-2023-6033 Gitlab Cross-site Scripting vulnerability in Gitlab

Improper neutralization of input in Jira integration configuration in GitLab CE/EE, affecting all versions from 15.10 prior to 16.6.1, 16.5 prior to 16.5.3, and 16.4 prior to 16.4.3 allows attacker to execute javascript in victim's browser.

5.4
2023-11-30 CVE-2023-6440 Rems Cross-site Scripting vulnerability in Rems Book Borrower System 1.0

A vulnerability was found in SourceCodester Book Borrower System 1.0 and classified as problematic.

5.4
2023-11-30 CVE-2023-6442 Phpgurukul Cross-site Scripting vulnerability in PHPgurukul Nipah Virus Testing Management System 1.0

A vulnerability was found in PHPGurukul Nipah Virus Testing Management System 1.0.

5.4
2023-11-30 CVE-2023-2267 Selinc Unspecified vulnerability in Selinc Sel-411L Firmware

An Improper Input Validation vulnerability in Schweitzer Engineering Laboratories SEL-411L could allow an attacker to perform reflection attacks against an authorized and authenticated user. See product Instruction Manual Appendix A dated 20230830 for more details.

5.4
2023-11-30 CVE-2023-47853 Mycred Cross-site Scripting vulnerability in Mycred

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in myCred myCred – Points, Rewards, Gamification, Ranks, Badges & Loyalty Plugin allows Stored XSS.This issue affects myCred – Points, Rewards, Gamification, Ranks, Badges & Loyalty Plugin: from n/a through 2.6.1.

5.4
2023-11-30 CVE-2023-47872 Gvectors Cross-site Scripting vulnerability in Gvectors Wpforo Forum

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in gVectors Team wpForo Forum allows Stored XSS.This issue affects wpForo Forum: from n/a through 2.2.3.

5.4
2023-11-30 CVE-2023-47877 Perfmatters Cross-site Scripting vulnerability in Perfmatters

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Perfmatters allows Stored XSS.This issue affects Perfmatters: from n/a before 2.2.0.

5.4
2023-11-30 CVE-2023-48317 Vikasvatsa Cross-site Scripting vulnerability in Vikasvatsa Display Custom Post

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Vikas Vatsa Display Custom Post allows Stored XSS.This issue affects Display Custom Post: from n/a through 2.2.1.

5.4
2023-11-30 CVE-2023-48321 Magazine3 Cross-site Scripting vulnerability in Magazine3 AMP for WP

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ahmed Kaludi, Mohammed Kaludi AMP for WP – Accelerated Mobile Pages allows Stored XSS.This issue affects AMP for WP – Accelerated Mobile Pages: from n/a through 1.0.88.1.

5.4
2023-11-30 CVE-2023-48749 Themenectar Cross-site Scripting vulnerability in Themenectar Salient Core

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Theme nectar Salient Core allows Stored XSS.This issue affects Salient Core: from n/a through 2.0.2.

5.4
2023-11-30 CVE-2023-44143 Bamboo MCR Cross-site Scripting vulnerability in Bamboo MCR Bamboo Columns 1.6.1

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Bamboo Mcr Bamboo Columns allows Stored XSS.This issue affects Bamboo Columns: from n/a through 1.6.1.

5.4
2023-11-30 CVE-2023-45609 Powr Cross-site Scripting vulnerability in Powr Pack

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in POWR.Io Contact Form – Custom Builder, Payment Form, and More allows Stored XSS.This issue affects Contact Form – Custom Builder, Payment Form, and More: from n/a through 2.1.0.

5.4
2023-11-30 CVE-2023-6027 Elijaa Cross-site Scripting vulnerability in Elijaa PHPmemcachedadmin 1.3.0

A critical flaw has been identified in elijaa/phpmemcachedadmin affecting version 1.3.0, specifically related to a stored XSS vulnerability.

5.4
2023-11-30 CVE-2023-6422 Bigprof Cross-site Scripting vulnerability in Bigprof Online Clinic Management System 2.2

A vulnerability has been discovered in BigProf Online Clinic Management System 2.2, which does not sufficiently encode user-controlled input, resulting in persistent XSS through /clinic/patients_view.php, in the FirstRecord parameter.

5.4
2023-11-30 CVE-2023-6423 Bigprof Cross-site Scripting vulnerability in Bigprof Online Clinic Management System 2.2

A vulnerability has been discovered in BigProf Online Clinic Management System 2.2, which does not sufficiently encode user-controlled input, resulting in persistent XSS through /clinic/events_view.php, in the FirstRecord parameter.

5.4
2023-11-30 CVE-2023-6424 Bigprof Cross-site Scripting vulnerability in Bigprof Online Clinic Management System 2.2

A vulnerability has been discovered in BigProf Online Clinic Management System 2.2, which does not sufficiently encode user-controlled input, resulting in persistent XSS through /clinic/disease_symptoms_view.php, in the FirstRecord parameter.

5.4
2023-11-30 CVE-2023-6425 Bigprof Cross-site Scripting vulnerability in Bigprof Online Clinic Management System 2.2

A vulnerability has been discovered in BigProf Online Clinic Management System 2.2, which does not sufficiently encode user-controlled input, resulting in persistent XSS through /clinic/medical_records_view.php, in the FirstRecord parameter.

5.4
2023-11-30 CVE-2023-6426 Bigprof Cross-site Scripting vulnerability in Bigprof Online Invoicing System 2.6

A vulnerability has been discovered in BigProf Online Invoicing System 2.6, which does not sufficiently encode user-controlled input, resulting in persistent XSS through /invoicing/app/invoices_view.php, in the FirstRecord parameter.

5.4
2023-11-30 CVE-2023-6427 Bigprof Cross-site Scripting vulnerability in Bigprof Online Invoicing System 2.6

A vulnerability has been discovered in BigProf Online Invoicing System 2.6, which does not sufficiently encode user-controlled input, resulting in persistent XSS through /invoicing/app/invoices_view.php, in the FirstRecord parameter.

5.4
2023-11-30 CVE-2023-6428 Bigprof Cross-site Scripting vulnerability in Bigprof Online Invoicing System 2.6

A vulnerability has been discovered in BigProf Online Invoicing System 2.6, which does not sufficiently encode user-controlled input, resulting in persistent XSS through /invoicing/app/items_view.php, in the FirstRecord parameter.

5.4
2023-11-30 CVE-2023-6429 Bigprof Cross-site Scripting vulnerability in Bigprof Online Invoicing System 2.6

A vulnerability has been discovered in BigProf Online Invoicing System 2.6, which does not sufficiently encode user-controlled input, resulting in persistent XSS through /invoicing/app/clients_view.php, in the FirstRecord parameter.

5.4
2023-11-30 CVE-2023-6430 Bigprof Cross-site Scripting vulnerability in Bigprof Online Invoicing System 2.6

A vulnerability has been discovered in BigProf Online Invoicing System 2.6, which does not sufficiently encode user-controlled input, resulting in persistent XSS through /inventory/transactions_view.php, in the FirstRecord parameter.

5.4
2023-11-30 CVE-2023-6431 Bigprof Cross-site Scripting vulnerability in Bigprof Online Invoicing System 2.6

A vulnerability has been discovered in BigProf Online Invoicing System 2.6, which does not sufficiently encode user-controlled input, resulting in persistent XSS through /inventory/categories_view.php, in the FirstRecord parameter.

5.4
2023-11-30 CVE-2023-6432 Bigprof Cross-site Scripting vulnerability in Bigprof Online Invoicing System 2.6

A vulnerability has been discovered in BigProf Online Invoicing System 2.6, which does not sufficiently encode user-controlled input, resulting in persistent XSS through /inventory/items_view.php, in the FirstRecord parameter.

5.4
2023-11-30 CVE-2023-6433 Bigprof Cross-site Scripting vulnerability in Bigprof Online Invoicing System 2.6

A vulnerability has been discovered in BigProf Online Invoicing System 2.6, which does not sufficiently encode user-controlled input, resulting in persistent XSS through /inventory/suppliers_view.php, in the FirstRecord parameter.

5.4
2023-11-30 CVE-2023-6434 Bigprof Cross-site Scripting vulnerability in Bigprof Online Invoicing System 2.6

A vulnerability has been discovered in BigProf Online Invoicing System 2.6, which does not sufficiently encode user-controlled input, resulting in persistent XSS through /inventory/sections_view.php, in the FirstRecord parameter.

5.4
2023-11-30 CVE-2023-6435 Bigprof Cross-site Scripting vulnerability in Bigprof Online Invoicing System 2.6

A vulnerability has been discovered in BigProf Online Invoicing System 2.6, which does not sufficiently encode user-controlled input, resulting in persistent XSS through /inventory/batches_view.php, in the FirstRecord parameter.

5.4
2023-11-30 CVE-2023-32291 Monsterinsights Cross-site Scripting vulnerability in Monsterinsights

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in MonsterInsights Pro allows Stored XSS.This issue affects MonsterInsights Pro: from n/a through 8.14.1.

5.4
2023-11-30 CVE-2023-40674 Getlasso Cross-site Scripting vulnerability in Getlasso Simple Urls

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Lasso Simple URLs – Link Cloaking, Product Displays, and Affiliate Link Management allows Stored XSS.This issue affects Simple URLs – Link Cloaking, Product Displays, and Affiliate Link Management: from n/a through 118.

5.4
2023-11-30 CVE-2023-45050 Automattic Cross-site Scripting vulnerability in Automattic Jetpack

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Automattic Jetpack – WP Security, Backup, Speed, & Growth allows Stored XSS.This issue affects Jetpack – WP Security, Backup, Speed, & Growth: from n/a through 12.8-a.1.

5.4
2023-11-30 CVE-2023-47505 Elementor Cross-site Scripting vulnerability in Elementor Website Builder

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Elementor.Com Elementor allows Cross-Site Scripting (XSS).This issue affects Elementor: from n/a through 3.16.4.

5.4
2023-11-30 CVE-2023-47777 Automattic Cross-site Scripting vulnerability in Automattic Woocommerce and Woocommerce Blocks

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Automattic WooCommerce, Automattic WooCommerce Blocks allows Stored XSS.This issue affects WooCommerce: from n/a through 8.1.1; WooCommerce Blocks: from n/a through 11.1.1.

5.4
2023-11-30 CVE-2023-47850 Peepso Cross-site Scripting vulnerability in Peepso

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in PeepSo Community by PeepSo – Social Network, Membership, Registration, User Profiles allows Stored XSS.This issue affects Community by PeepSo – Social Network, Membership, Registration, User Profiles: from n/a through 6.2.2.0.

5.4
2023-11-30 CVE-2023-47851 Addonmaster Cross-site Scripting vulnerability in Addonmaster Bootstrap Shortcodes Ultimate 4.3.1

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Akhtarujjaman Shuvo Bootstrap Shortcodes Ultimate allows Stored XSS.This issue affects Bootstrap Shortcodes Ultimate: from n/a through 4.3.1.

5.4
2023-11-30 CVE-2023-47854 Howardehrenberg Cross-site Scripting vulnerability in Howardehrenberg Parallax Image

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Howard Ehrenberg Parallax Image allows Stored XSS.This issue affects Parallax Image: from n/a through 1.7.1.

5.4
2023-11-30 CVE-2023-48289 Spreadsheetconverter Cross-site Scripting vulnerability in Spreadsheetconverter Import Spreadsheets

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in SpreadsheetConverter Import Spreadsheets from Microsoft Excel allows Stored XSS.This issue affects Import Spreadsheets from Microsoft Excel: from n/a through 10.1.3.

5.4
2023-11-30 CVE-2023-48336 Cybernetikz Cross-site Scripting vulnerability in Cybernetikz Easy Social Icons

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in cybernetikz Easy Social Icons allows Stored XSS.This issue affects Easy Social Icons: from n/a through 3.2.4.

5.4
2023-11-29 CVE-2023-44383 Octobercms Cross-site Scripting vulnerability in Octobercms October

October is a Content Management System (CMS) and web platform to assist with development workflow.

5.4
2023-11-28 CVE-2023-42502 Apache Open Redirect vulnerability in Apache Superset

An authenticated attacker with update datasets permission could change a dataset link to an untrusted site by spoofing the HTTP Host header, users could be redirected to this site when clicking on that specific dataset.

5.4
2023-11-28 CVE-2023-6225 Getshortcodes Cross-site Scripting vulnerability in Getshortcodes Shortcodes Ultimate

The WP Shortcodes Plugin — Shortcodes Ultimate plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's su_meta shortcode combined with post meta data in all versions up to, and including, 5.13.3 due to insufficient input sanitization and output escaping on user supplied meta values.

5.4
2023-11-28 CVE-2023-47437 Pachno Cross-site Scripting vulnerability in Pachno

A vulnerability has been identified in Pachno 1.0.6 allowing an authenticated attacker to execute a cross-site scripting (XSS) attack.

5.4
2023-11-27 CVE-2023-49145 Apache Cross-site Scripting vulnerability in Apache Nifi

Apache NiFi 0.7.0 through 1.23.2 include the JoltTransformJSON Processor, which provides an advanced configuration user interface that is vulnerable to DOM-based cross-site scripting.

5.4
2023-11-27 CVE-2023-49028 Absis Cross-site Scripting vulnerability in Absis

Cross Site Scripting vulnerability in smpn1smg absis v.2017-10-19 and before allows a remote attacker to execute arbitrary code via the user parameter in the lock/lock.php file.

5.4
2023-11-27 CVE-2023-4514 Mediamanifesto Cross-site Scripting vulnerability in Mediamanifesto MMM Simple File List

The Mmm Simple File List WordPress plugin through 2.3 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks

5.4
2023-11-27 CVE-2023-5620 Webpushr Cross-site Scripting vulnerability in Webpushr web Push Notifications

The Web Push Notifications WordPress plugin before 4.35.0 does not prevent visitors on the site from changing some of the plugin options, some of which may be used to conduct Stored XSS attacks.

5.4
2023-11-27 CVE-2023-5738 Webtoffee Cross-site Scripting vulnerability in Webtoffee Backup and Migration

The WordPress Backup & Migration WordPress plugin before 1.4.4 does not sanitise and escape some parameters, which could allow users with a role as low as Subscriber to perform Cross-Site Scripting attacks.

5.4
2023-11-27 CVE-2023-5942 Drelton Cross-site Scripting vulnerability in Drelton Medialist

The Medialist WordPress plugin before 1.4.1 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks

5.4
2023-11-27 CVE-2023-43701 Apache Cross-site Scripting vulnerability in Apache Superset

Improper payload validation and an improper REST API response type, made it possible for an authenticated malicious actor to store malicious code into Chart's metadata, this code could get executed if a user specifically accesses a specific deprecated API endpoint. This issue affects Apache Superset versions prior to 2.1.2.  Users are recommended to upgrade to version 2.1.2, which fixes this issue.

5.4
2023-11-27 CVE-2023-35075 Mattermost Injection vulnerability in Mattermost

Mattermost fails to use  innerText / textContent when setting the channel name in the webapp during autocomplete, allowing an attacker to inject HTML to a victim's page by create a channel name that is valid HTML.

5.4
2023-12-03 CVE-2023-49948 Forgejo Unspecified vulnerability in Forgejo

Forgejo before 1.20.5-1 allows remote attackers to test for the existence of private user accounts by appending .rss (or another extension) to a URL.

5.3
2023-12-01 CVE-2023-43021 IBM Information Exposure Through an Error Message vulnerability in IBM Infosphere Information Server 11.7.1

IBM InfoSphere Information Server 11.7 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser.

5.3
2023-12-01 CVE-2023-3949 Gitlab Unspecified vulnerability in Gitlab

An issue has been discovered in GitLab affecting all versions starting from 11.3 before 16.4.3, all versions starting from 16.5 before 16.5.3, all versions starting from 16.6 before 16.6.1.

5.3
2023-12-01 CVE-2023-5915 Yokogawa Unspecified vulnerability in Yokogawa Stardom FCJ Firmware and Stardom FCN Firmware

A vulnerability of Uncontrolled Resource Consumption has been identified in STARDOM provided by Yokogawa Electric Corporation. This vulnerability may allow to a remote attacker to cause a denial-of-service condition to the FCN/FCJ controller by sending a crafted packet.

5.3
2023-11-30 CVE-2021-35975 Systematica Path Traversal vulnerability in Systematica products

Absolute path traversal vulnerability in the Systematica SMTP Adapter component (up to v2.0.1.101) in Systematica Radius (up to v.3.9.256.777) allows remote attackers to read arbitrary files via a full pathname in GET parameter "file" in URL.

5.3
2023-11-30 CVE-2023-6341 Catalisgov Authorization Bypass Through User-Controlled Key vulnerability in Catalisgov Cms360

Catalis (previously Icon Software) CMS360 allows a remote, unauthenticated attacker to view sensitive court documents by modifying document and other identifiers in URLs.

5.3
2023-11-30 CVE-2023-6343 Tylertech Improper Authentication vulnerability in Tylertech Court Case Management Plus

Tyler Technologies Court Case Management Plus allows a remote, unauthenticated attacker to enumerate and access sensitive files using the tiffserver/tssp.aspx 'FN' and 'PN' parameters.

5.3
2023-11-30 CVE-2023-6344 Tylertech Improper Authentication vulnerability in Tylertech Court Case Management Plus

Tyler Technologies Court Case Management Plus allows a remote, unauthenticated attacker to enumerate directories using the tiffserver/te003.aspx or te004.aspx 'ifolder' parameter.

5.3
2023-11-30 CVE-2023-6352 Aquaforest Path Traversal vulnerability in Aquaforest Tiff Server 4.2.210913

The default configuration of Aquaforest TIFF Server allows access to arbitrary file paths, subject to any restrictions imposed by Internet Information Services (IIS) or Microsoft Windows.

5.3
2023-11-30 CVE-2023-6438 Thecosy Improper Enforcement of a Single, Unique Action vulnerability in Thecosy Icecms 2.0.1

A vulnerability classified as problematic has been found in Thecosy IceCMS 2.0.1.

5.3
2023-11-30 CVE-2023-25057 Libsyn Unspecified vulnerability in Libsyn Publisher HUB

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Libsyn Libsyn Publisher Hub.This issue affects Libsyn Publisher Hub: from n/a through 1.3.2.

5.3
2023-11-30 CVE-2023-36507 Reputeinfosystems Unspecified vulnerability in Reputeinfosystems Bookingpress

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Repute Infosystems BookingPress – Appointment Booking Calendar Plugin and Online Scheduling Plugin.This issue affects BookingPress – Appointment Booking Calendar Plugin and Online Scheduling Plugin: from n/a through 1.0.64.

5.3
2023-11-30 CVE-2023-36523 Gopiplus Unspecified vulnerability in Gopiplus Email Download Link

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Gopi Ramasamy Email download link.This issue affects Email download link: from n/a through 3.7.

5.3
2023-11-30 CVE-2023-45834 Libsyn Unspecified vulnerability in Libsyn Publisher HUB

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Libsyn Libsyn Publisher Hub.This issue affects Libsyn Publisher Hub: from n/a through 1.4.4.

5.3
2023-11-30 CVE-2023-46820 Iuliacazan Unspecified vulnerability in Iuliacazan Image Regenerate & Select Crop

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Iulia Cazan Image Regenerate & Select Crop.This issue affects Image Regenerate & Select Crop: from n/a through 7.3.0.

5.3
2023-11-30 CVE-2023-49081 Aiohttp Unspecified vulnerability in Aiohttp

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python.

5.3
2023-11-29 CVE-2023-49082 Aiohttp CRLF Injection vulnerability in Aiohttp

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python.

5.3
2023-11-28 CVE-2023-30588 Nodejs Unspecified vulnerability in Nodejs Node.Js

When an invalid public key is used to create an x509 certificate using the crypto.X509Certificate() API a non-expect termination occurs making it susceptible to DoS attacks when the attacker could force interruptions of application processing, as the process terminates when accessing public key info of provided certificates from user code.

5.3
2023-11-28 CVE-2023-48121 Ezviz Improper Authentication vulnerability in Ezviz products

An authentication bypass vulnerability in the Direct Connection Module in Ezviz CS-C6N-xxx prior to v5.3.x build 20230401, Ezviz CS-CV310-xxx prior to v5.3.x build 20230401, Ezviz CS-C6CN-xxx prior to v5.3.x build 20230401, Ezviz CS-C3N-xxx prior to v5.3.x build 20230401 allows remote attackers to obtain sensitive information by sending crafted messages to the affected devices.

5.3
2023-11-28 CVE-2023-48713 Knative Unspecified vulnerability in Knative Serving

Knative Serving builds on Kubernetes to support deploying and serving of applications and functions as serverless containers.

5.3
2023-11-27 CVE-2023-46355 Blmodules Unspecified vulnerability in Blmodules CSV Feeds PRO 2.5.2

In the module "CSV Feeds PRO" (csvfeeds) < 2.6.1 from Bl Modules for PrestaShop, a guest can download personal information without restriction.

5.3
2023-11-27 CVE-2023-4252 Metagauss Unspecified vulnerability in Metagauss Eventprime

The EventPrime WordPress plugin through 3.2.9 specifies the price of a booking in the client request, allowing an attacker to purchase bookings without payment.

5.3
2023-11-27 CVE-2023-5611 Seraphinitesolutions Missing Authorization vulnerability in Seraphinitesolutions Seraphinite Accelerator

The Seraphinite Accelerator WordPress plugin before 2.20.32 does not have authorisation and CSRF checks when resetting and importing its settings, allowing unauthenticated users to reset them

5.3
2023-11-27 CVE-2023-5845 Wpbrigade Unspecified vulnerability in Wpbrigade Simple Social Buttons

The Simple Social Media Share Buttons WordPress plugin before 5.1.1 leaks password-protected post content to unauthenticated visitors in some meta tags

5.3
2023-11-27 CVE-2023-5871 Redhat Reachable Assertion vulnerability in Redhat Enterprise Linux and Libnbd

A flaw was found in libnbd, due to a malicious Network Block Device (NBD), a protocol for accessing Block Devices such as hard disks over a Network.

5.3
2023-11-27 CVE-2023-48369 Mattermost Resource Exhaustion vulnerability in Mattermost

Mattermost fails to limit the log size of server logs allowing an attacker sending specially crafted requests to different endpoints to potentially overflow the log.

5.3
2023-11-27 CVE-2023-49321 F Secure Unspecified vulnerability in F-Secure products

Certain WithSecure products allow a Denial of Service because scanning a crafted file takes a long time, and causes the scanner to hang.

5.3
2023-11-28 CVE-2023-29061 BD Missing Authentication for Critical Function vulnerability in BD Facschorus

There is no BIOS password on the FACSChorus workstation.

5.2
2023-11-28 CVE-2023-32063 Oroinc Improper Access Control vulnerability in Oroinc Client Relationship Management

OroCalendarBundle enables a Calendar feature and related functionality in Oro applications.

5.0
2023-12-01 CVE-2023-44381 Octobercms Code Injection vulnerability in Octobercms October

October is a Content Management System (CMS) and web platform to assist with development workflow.

4.9
2023-12-02 CVE-2023-6472 Phpems Cross-site Scripting vulnerability in PHPems 7.0

A vulnerability, which was classified as problematic, has been found in PHPEMS 7.0.

4.8
2023-11-30 CVE-2023-34018 Soundcloud Cross-site Scripting vulnerability in Soundcloud Shortcode

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in SoundCloud Inc.

4.8
2023-11-30 CVE-2023-48320 WEB Dorado Cross-site Scripting vulnerability in Web-Dorado Spidervplayer 1.5.22

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WebDorado SpiderVPlayer allows Stored XSS.This issue affects SpiderVPlayer: from n/a through 1.5.22.

4.8
2023-11-30 CVE-2023-39921 Amitzy Cross-site Scripting vulnerability in Amitzy Molongui

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Molongui Author Box, Guest Author and Co-Authors for Your Posts – Molongui allows Stored XSS.This issue affects Author Box, Guest Author and Co-Authors for Your Posts – Molongui: from n/a through 4.6.19.

4.8
2023-11-30 CVE-2023-40680 Yoast Cross-site Scripting vulnerability in Yoast SEO

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Team Yoast Yoast SEO allows Stored XSS.This issue affects Yoast SEO: from n/a through 21.0.

4.8
2023-11-30 CVE-2023-41127 Evergreencontentposter Cross-site Scripting vulnerability in Evergreencontentposter Evergreen Content Poster

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Evergreen Content Poster Evergreen Content Poster – Auto Post and Schedule Your Best Content to Social Media allows Stored XSS.This issue affects Evergreen Content Poster – Auto Post and Schedule Your Best Content to Social Media: from n/a through 1.3.6.1.

4.8
2023-11-30 CVE-2023-41128 Iqonic Cross-site Scripting vulnerability in Iqonic WP Roadmap

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Iqonic Design WP Roadmap – Product Feedback Board allows Stored XSS.This issue affects WP Roadmap – Product Feedback Board: from n/a through 1.0.8.

4.8
2023-11-30 CVE-2023-41136 Ohmybox Cross-site Scripting vulnerability in Ohmybox Simple Long Form

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Laurence/OhMyBox.Info Simple Long Form allows Stored XSS.This issue affects Simple Long Form: from n/a through 2.2.2.

4.8
2023-11-30 CVE-2023-48329 Codebard Cross-site Scripting vulnerability in Codebard Fast Custom Social Share

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CodeBard Fast Custom Social Share by CodeBard allows Stored XSS.This issue affects Fast Custom Social Share by CodeBard: from n/a through 1.1.1.

4.8
2023-11-30 CVE-2023-48737 Tripay Cross-site Scripting vulnerability in Tripay Payment Gateway

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in PT Trijaya Digital Grup TriPay Payment Gateway allows Stored XSS.This issue affects TriPay Payment Gateway: from n/a through 3.2.7.

4.8
2023-11-29 CVE-2023-48880 Eyoucms Cross-site Scripting vulnerability in Eyoucms 1.6.4

A stored cross-site scripting (XSS) vulnerability in EyouCMS v1.6.4-UTF8-SP1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Menu Name field at /login.php?m=admin&c=Index&a=changeTableVal&_ajax=1&lang=cn.

4.8
2023-11-29 CVE-2023-48881 Eyoucms Cross-site Scripting vulnerability in Eyoucms 1.6.4

A stored cross-site scripting (XSS) vulnerability in EyouCMS v1.6.4-UTF8-SP1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Field Title field at /login.php?m=admin&c=Field&a=arctype_add&_ajax=1&lang=cn.

4.8
2023-11-29 CVE-2023-48882 Eyoucms Cross-site Scripting vulnerability in Eyoucms 1.6.4

A stored cross-site scripting (XSS) vulnerability in EyouCMS v1.6.4-UTF8-SP1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Document Properties field at /login.php m=admin&c=Index&a=changeTableVal&_ajax=1&lang=cn.

4.8
2023-11-28 CVE-2023-4667 Idemia Cross-site Scripting vulnerability in Idemia products

The web interface of the PAC Device allows the device administrator user profile to store malicious scripts in some fields.

4.8
2023-11-27 CVE-2023-2707 Gappointments Cross-site Scripting vulnerability in Gappointments

The gAppointments WordPress plugin through 1.9.5.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

4.8
2023-11-27 CVE-2023-5209 Booking WP Plugin Cross-site Scripting vulnerability in Booking-Wp-Plugin Bookly

The WordPress Online Booking and Scheduling Plugin WordPress plugin before 22.5 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

4.8
2023-11-27 CVE-2023-6303 Cskaza Cross-site Scripting vulnerability in Cskaza Cszcms 1.3.0

A vulnerability was found in CSZCMS 1.3.0.

4.8
2023-11-30 CVE-2023-5274 Mitsubishielectric Improper Input Validation vulnerability in Mitsubishielectric GX Works2

Improper Input Validation vulnerability in simulation function of GX Works2 allows an attacker to cause a denial-of-service (DoS) condition on the function by sending specially crafted packets.

4.7
2023-11-30 CVE-2023-5275 Mitsubishielectric Improper Input Validation vulnerability in Mitsubishielectric GX Works2

Improper Input Validation vulnerability in simulation function of GX Works2 allows an attacker to cause a denial-of-service (DoS) condition on the function by sending specially crafted packets.

4.7
2023-11-28 CVE-2023-4397 Zyxel Classic Buffer Overflow vulnerability in Zyxel ZLD 5.37

A buffer overflow vulnerability in the Zyxel ATP series firmware version 5.37, USG FLEX series firmware version 5.37, USG FLEX 50(W) series firmware version 5.37, and USG20(W)-VPN series firmware version 5.37, could allow an authenticated local attacker with administrator privileges to cause denial-of-service (DoS) conditions by executing the CLI command with crafted strings on an affected device.

4.4
2023-12-01 CVE-2023-46746 Posthog Server-Side Request Forgery (SSRF) vulnerability in Posthog

PostHog provides open-source product analytics, session recording, feature flagging and A/B testing that you can self-host.

4.3
2023-12-01 CVE-2023-3443 Gitlab Unspecified vulnerability in Gitlab

An issue has been discovered in GitLab affecting all versions starting from 12.1 before 16.4.3, all versions starting from 16.5 before 16.5.3, all versions starting from 16.6 before 16.6.1.

4.3
2023-12-01 CVE-2023-3964 Gitlab Unspecified vulnerability in Gitlab

An issue has been discovered in GitLab affecting all versions starting from 13.2 before 16.4.3, all versions starting from 16.5 before 16.5.3, all versions starting from 16.6 before 16.6.1.

4.3
2023-12-01 CVE-2023-4317 Gitlab Unspecified vulnerability in Gitlab

An issue has been discovered in GitLab affecting all versions starting from 9.2 before 16.4.3, all versions starting from 16.5 before 16.5.3, all versions starting from 16.6 before 16.6.1.

4.3
2023-11-30 CVE-2023-37890 Liquidweb Missing Authorization vulnerability in Liquidweb KB Support

Missing Authorization vulnerability in WPOmnia KB Support – WordPress Help Desk and Knowledge Base allows Accessing Functionality Not Properly Constrained by ACLs. Users with a role as low as a subscriber can view other customers.This issue affects KB Support – WordPress Help Desk and Knowledge Base: from n/a through 1.5.88.

4.3
2023-11-30 CVE-2023-49094 Sentry Server-Side Request Forgery (SSRF) vulnerability in Sentry Symbolicator

Symbolicator is a symbolication service for native stacktraces and minidumps with symbol server support.

4.3
2023-11-30 CVE-2023-5772 Bowo Cross-Site Request Forgery (CSRF) vulnerability in Bowo Debug LOG Manager

The Debug Log Manager plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.2.1.

4.3
2023-11-29 CVE-2023-49674 Jenkins Missing Authorization vulnerability in Jenkins Neuvector vulnerability Scanner

A missing permission check in Jenkins NeuVector Vulnerability Scanner Plugin 1.22 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified hostname and port using attacker-specified username and password.

4.3
2023-11-29 CVE-2023-6070 Trellix Server-Side Request Forgery (SSRF) vulnerability in Trellix Enterprise Security Manager

A server-side request forgery vulnerability in ESM prior to version 11.6.8 allows a low privileged authenticated user to upload arbitrary content, potentially altering configuration.

4.3
2023-11-28 CVE-2023-29064 BD Use of Hard-coded Credentials vulnerability in BD Facschorus

The FACSChorus software contains sensitive information stored in plaintext.

4.3
2023-11-28 CVE-2023-29065 BD Incorrect Permission Assignment for Critical Resource vulnerability in BD Facschorus

The FACSChorus software database can be accessed directly with the privileges of the currently logged-in user.

4.3
2023-11-28 CVE-2023-42505 Apache Unspecified vulnerability in Apache Superset

An authenticated user with read permissions on database connections metadata could potentially access sensitive information such as the connection's username. This issue affects Apache Superset before 3.0.0.

4.3
2023-11-28 CVE-2023-6226 Getshortcodes Authorization Bypass Through User-Controlled Key vulnerability in Getshortcodes Shortcodes Ultimate

The WP Shortcodes Plugin — Shortcodes Ultimate plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.13.3 via the su_meta shortcode due to missing validation on the user controlled keys 'key' and 'post_id'.

4.3
2023-11-28 CVE-2023-32064 Oroinc Improper Access Control vulnerability in Oroinc Orocommerce

OroCommerce package with customer portal and non authenticated visitor website base features.

4.3
2023-11-27 CVE-2023-32062 Oroinc Improper Access Control vulnerability in Oroinc Oroplatform

OroPlatform is a package that assists system and user calendar management.

4.3
2023-11-27 CVE-2023-4297 Mediamanifesto Unspecified vulnerability in Mediamanifesto MMM Simple File List

The Mmm Simple File List WordPress plugin through 2.3 does not validate the generated path to list files from, allowing any authenticated users, such as subscribers, to list the content of arbitrary directories.

4.3
2023-11-27 CVE-2023-5525 Limitloginattempts Missing Authorization vulnerability in Limitloginattempts Limit Login Attempts Reloaded

The Limit Login Attempts Reloaded WordPress plugin before 2.25.26 is missing authorization on the `toggle_auto_update` AJAX action, allowing any user with a valid nonce to toggle the auto-update status of the plugin.

4.3
2023-11-27 CVE-2023-5737 Webtoffee Missing Authorization vulnerability in Webtoffee Backup and Migration

The WordPress Backup & Migration WordPress plugin before 1.4.4 does not authorize some AJAX requests, allowing users with a role as low as Subscriber to update some plugin settings.

4.3
2023-11-27 CVE-2023-42501 Apache Incorrect Default Permissions vulnerability in Apache Superset

Unnecessary read permissions within the Gamma role would allow authenticated users to read configured CSS templates and annotations. This issue affects Apache Superset: before 2.1.2. Users should upgrade to version or above 2.1.2 and run `superset init` to reconstruct the Gamma role or remove `can_read` permission from the mentioned resources.

4.3
2023-11-27 CVE-2023-43754 Mattermost Unspecified vulnerability in Mattermost

Mattermost fails to check whether the  “Allow users to view archived channels”  setting is enabled during permalink previews display, allowing members to view permalink previews of archived channels even if the “Allow users to view archived channels” setting is disabled. 

4.3
2023-11-27 CVE-2023-45223 Mattermost Unspecified vulnerability in Mattermost

Mattermost fails to properly validate the "Show Full Name" option in a few endpoints in Mattermost Boards, allowing a member to get the full name of another user even if the Show Full Name option was disabled. 

4.3
2023-11-27 CVE-2023-6202 Mattermost Unspecified vulnerability in Mattermost

Mattermost fails to perform proper authorization in the /plugins/focalboard/api/v2/users endpoint allowing an attacker who is a guest user and knows the ID of another user to get their information (e.g.

4.3
2023-11-27 CVE-2023-47865 Mattermost Unspecified vulnerability in Mattermost

Mattermost fails to check if hardened mode is enabled when overriding the username and/or the icon when posting a post.

4.3

8 Low Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2023-11-28 CVE-2023-29062 BD Improper Authentication vulnerability in BD Facschorus

The Operating System hosting the FACSChorus application is configured to allow transmission of hashed user credentials upon user action without adequately validating the identity of the requested resource.

3.8
2023-12-02 CVE-2023-6467 Thecosy Unspecified vulnerability in Thecosy Icecms 2.0.1

A vulnerability was found in Thecosy IceCMS 2.0.1.

3.7
2023-11-28 CVE-2023-29066 BD Improper Privilege Management vulnerability in BD Facschorus

The FACSChorus software does not properly assign data access privileges for operating system user accounts.

3.5
2023-12-01 CVE-2023-43089 Dell Unspecified vulnerability in Dell Rugged Control Center

Dell Rugged Control Center, version prior to 4.7, contains insufficient protection for the Policy folder.

3.3
2023-12-01 CVE-2023-4658 Gitlab Unspecified vulnerability in Gitlab

An issue has been discovered in GitLab EE affecting all versions starting from 8.13 before 16.4.3, all versions starting from 16.5 before 16.5.3, all versions starting from 16.6 before 16.6.1.

3.1
2023-11-29 CVE-2023-49652 Jenkins Missing Authorization vulnerability in Jenkins Google Compute Engine

Incorrect permission checks in Jenkins Google Compute Engine Plugin 4.550.vb_327fca_3db_11 and earlier allow attackers with global Item/Configure permission (while lacking Item/Configure permission on any particular job) to enumerate system-scoped credentials IDs of credentials stored in Jenkins and to connect to Google Cloud Platform using attacker-specified credentials IDs obtained through another method, to obtain information about existing projects.

2.7
2023-12-01 CVE-2023-28896 Preh Inadequate Encryption Strength vulnerability in Preh Mib3 Firmware

Access to critical Unified Diagnostics Services (UDS) of the Modular Infotainment Platform 3 (MIB3) infotainment is transmitted via Controller Area Network (CAN) bus in a form that can be easily decoded by attackers with physical access to the vehicle. Vulnerability discovered on Škoda Superb III (3V3) - 2.0 TDI manufactured in 2022.

2.4
2023-11-28 CVE-2023-29063 BD Missing Authentication for Critical Function vulnerability in BD Facschorus

The FACSChorus workstation does not prevent physical access to its PCI express (PCIe) slots, which could allow a threat actor to insert a PCI card designed for memory capture.

2.4