Weekly Vulnerabilities Reports > December 18 to 24, 2023

Overview

565 new vulnerabilities reported during this period, including 151 critical vulnerabilities and 206 high severity vulnerabilities. This weekly summary report vulnerabilities in 512 products from 331 vendors including Totolink, Ivanti, Mozilla, Debian, and IBM. Vulnerabilities are notably categorized as "SQL Injection", "Cross-site Scripting", "Cross-Site Request Forgery (CSRF)", "Out-of-bounds Write", and "Unrestricted Upload of File with Dangerous Type".

  • 519 reported vulnerabilities are remotely exploitables.
  • 243 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
  • 354 reported vulnerabilities are exploitable by an anonymous user.
  • Totolink has the most reported vulnerabilities, with 23 reported vulnerabilities.
  • Totolink has the most reported critical vulnerabilities, with 23 reported vulnerabilities.

TOTAL
VULNERABILITIES
CRITICAL RISK
VULNERABILITIES
HIGH RISK
VULNERABILITIES
MEDIUM RISK
VULNERABILITIES
LOW RISK
VULNERABILITIES
REMOTELY
EXPLOITABLE
LOCALLY
EXPLOITABLE
EXPLOIT
AVAILABLE
EXPLOITABLE
ANONYMOUSLY
AFFECTING
WEB APPLICATION

Vulnerability Details

The following table list reported vulnerabilities for the period covered by this report:

Expand/Hide

151 Critical Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2023-12-24 CVE-2023-7102 Barracuda Unspecified vulnerability in Barracuda products

Use of a Third Party library produced a vulnerability in Barracuda Networks Inc.

9.8
2023-12-24 CVE-2023-51714 QT Integer Overflow or Wraparound vulnerability in QT

An issue was discovered in the HTTP2 implementation in Qt before 5.15.17, 6.x before 6.2.11, 6.3.x through 6.5.x before 6.5.4, and 6.6.x before 6.6.2.

9.8
2023-12-24 CVE-2023-51763 Activeadmin Improper Neutralization of Formula Elements in a CSV File vulnerability in Activeadmin Active Admin

csv_builder.rb in ActiveAdmin (aka Active Admin) before 3.2.0 allows CSV injection.

9.8
2023-12-23 CVE-2023-6971 Backupbliss Inclusion of Functionality from Untrusted Control Sphere vulnerability in Backupbliss Backup Migration

The Backup Migration plugin for WordPress is vulnerable to Remote File Inclusion in versions 1.0.8 to 1.3.9 via the 'content-dir' HTTP header.

9.8
2023-12-23 CVE-2023-6972 Backupbliss Path Traversal vulnerability in Backupbliss Backup Migration

The Backup Migration plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.3.9 via the 'content-backups' and 'content-name', 'content-manifest', or 'content-bmitmp' and 'content-identy' HTTP headers.

9.8
2023-12-22 CVE-2023-50147 Totolink OS Command Injection vulnerability in Totolink A3700R Firmware 9.1.2U.5822B20200513

There is an arbitrary command execution vulnerability in the setDiagnosisCfg function of the cstecgi .cgi of the TOTOlink A3700R router device in its firmware version V9.1.2u.5822_B20200513.

9.8
2023-12-22 CVE-2023-50708 Yiiframework Unspecified vulnerability in Yiiframework Yii2-Authclient

yii2-authclient is an extension that adds OpenID, OAuth, OAuth2 and OpenId Connect consumers for the Yii framework 2.0.

9.8
2023-12-22 CVE-2023-51011 Totolink Unspecified vulnerability in Totolink Ex1800T Firmware 9.1.0Cu.2112B20220316

TOTOlink EX1800T v9.1.0cu.2112_B20220316 is vulnerable to unauthorized arbitrary command execution in the lanPriDns parameter’ of the setLanConfig interface of the cstecgi .cgi

9.8
2023-12-22 CVE-2023-51012 Totolink Unspecified vulnerability in Totolink Ex1800T Firmware 9.1.0Cu.2112B20220316

TOTOlink EX1800T v9.1.0cu.2112_B20220316 is vulnerable to unauthorized arbitrary command execution in the lanGateway parameter’ of the setLanConfig interface of the cstecgi .cgi.

9.8
2023-12-22 CVE-2023-51013 Totolink Unspecified vulnerability in Totolink Ex1800T Firmware 9.1.0Cu.2112B20220316

TOTOlink EX1800T v9.1.0cu.2112_B20220316 is vulnerable to unauthorized arbitrary command execution in the lanNetmask parameter’ of the setLanConfig interface of the cstecgi .cgi.

9.8
2023-12-22 CVE-2023-51014 Totolink Unspecified vulnerability in Totolink Ex1800T Firmware 9.1.0Cu.2112B20220316

TOTOLINK EX1800T V9.1.0cu.2112_B20220316 is vulnerable to unauthorized arbitrary command execution in the lanSecDns parameter’ of the setLanConfig interface of the cstecgi .cgi

9.8
2023-12-22 CVE-2023-51015 Totolink Unspecified vulnerability in Totolink Ex1800T Firmware 9.1.0Cu.2112B20220316

TOTOLINX EX1800T v9.1.0cu.2112_B20220316 is vulnerable to arbitrary command execution in the ‘enable parameter’ of the setDmzCfg interface of the cstecgi .cgi

9.8
2023-12-22 CVE-2023-51016 Totolink Command Injection vulnerability in Totolink Ex1800T Firmware 9.1.0Cu.2112B20220316

TOTOlink EX1800T v9.1.0cu.2112_B20220316 is vulnerable to unauthorized arbitrary command execution in the setRebootScheCfg interface of the cstecgi .cgi.

9.8
2023-12-22 CVE-2023-51017 Totolink Unspecified vulnerability in Totolink Ex1800T Firmware 9.1.0Cu.2112B20220316

TOTOlink EX1800T v9.1.0cu.2112_B20220316 is vulnerable to unauthorized arbitrary command execution in the lanIp parameter’ of the setLanConfig interface of the cstecgi .cgi.

9.8
2023-12-22 CVE-2023-51018 Totolink Unspecified vulnerability in Totolink Ex1800T Firmware 9.1.0Cu.2112B20220316

TOTOlink EX1800T v9.1.0cu.2112_B20220316 is vulnerable to unauthorized arbitrary command execution in the ‘opmode’ parameter of the setWiFiApConfig interface of the cstecgi .cgi.

9.8
2023-12-22 CVE-2023-51019 Totolink Unspecified vulnerability in Totolink Ex1800T Firmware 9.1.0Cu.2112B20220316

TOTOlink EX1800T v9.1.0cu.2112_B20220316 is vulnerable to unauthorized arbitrary command execution in the ‘key5g’ parameter of the setWiFiExtenderConfig interface of the cstecgi .cgi.

9.8
2023-12-22 CVE-2023-51020 Totolink Unspecified vulnerability in Totolink Ex1800T Firmware 9.1.0Cu.2112B20220316

TOTOlink EX1800T v9.1.0cu.2112_B20220316 is vulnerable to unauthorized arbitrary command execution in the ‘langType’ parameter of the setLanguageCfg interface of the cstecgi .cgi.

9.8
2023-12-22 CVE-2023-51021 Totolink Unspecified vulnerability in Totolink Ex1800T Firmware 9.1.0Cu.2112B20220316

TOTOlink EX1800T v9.1.0cu.2112_B20220316 is vulnerable to unauthorized arbitrary command execution in the ‘merge’ parameter of the setRptWizardCfg interface of the cstecgi .cgi.

9.8
2023-12-22 CVE-2023-51022 Totolink Unspecified vulnerability in Totolink Ex1800T Firmware 9.1.0Cu.2112B20220316

TOTOlink EX1800T v9.1.0cu.2112_B20220316 is vulnerable to unauthorized arbitrary command execution in the ‘langFlag’ parameter of the setLanguageCfg interface of the cstecgi .cgi.

9.8
2023-12-22 CVE-2023-51033 Totolink OS Command Injection vulnerability in Totolink Ex1200L Firmware 9.3.5U.6146B20201023

TOTOlink EX1200L V9.3.5u.6146_B20201023 is vulnerable to arbitrary command execution via the cstecgi.cgi setOpModeCfg interface.

9.8
2023-12-22 CVE-2023-51034 Totolink Unrestricted Upload of File with Dangerous Type vulnerability in Totolink Ex1200L Firmware 9.3.5U.6146B20201023

TOTOlink EX1200L V9.3.5u.6146_B20201023 is vulnerable to arbitrary command execution via the cstecgi.cgi UploadFirmwareFile interface.

9.8
2023-12-22 CVE-2023-51035 Totolink OS Command Injection vulnerability in Totolink Ex1200L Firmware 9.3.5U.6146B20201023

TOTOLINK EX1200L V9.3.5u.6146_B20201023 is vulnerable to arbitrary command execution on the cstecgi.cgi NTPSyncWithHost interface.

9.8
2023-12-22 CVE-2023-51023 Totolink Unspecified vulnerability in Totolink Ex1800T Firmware 9.1.0Cu.2112B20220316

TOTOlink EX1800T v9.1.0cu.2112_B20220316 is vulnerable to arbitrary command execution in the ‘host_time’ parameter of the NTPSyncWithHost interface of the cstecgi .cgi.

9.8
2023-12-22 CVE-2023-51024 Totolink Unspecified vulnerability in Totolink Ex1800T Firmware 9.1.0Cu.2112B20220316

TOTOlink EX1800T v9.1.0cu.2112_B20220316 is vulnerable to unauthorized arbitrary command execution in the ‘tz’ parameter of the setNtpCfg interface of the cstecgi .cgi.

9.8
2023-12-22 CVE-2023-51025 Totolink Unspecified vulnerability in Totolink Ex1800T Firmware 9.1.0Cu.2112B20220316

TOTOlink EX1800T V9.1.0cu.2112_B20220316 is vulnerable to an unauthorized arbitrary command execution in the ‘admuser’ parameter of the setPasswordCfg interface of the cstecgi .cgi.

9.8
2023-12-22 CVE-2023-51026 Totolink Unspecified vulnerability in Totolink Ex1800T Firmware 9.1.0Cu.2112B20220316

TOTOlink EX1800T V9.1.0cu.2112_B20220316 is vulnerable to unauthorized arbitrary command execution in the ‘hour’ parameter of the setRebootScheCfg interface of the cstecgi .cgi.

9.8
2023-12-22 CVE-2023-51027 Totolink Unspecified vulnerability in Totolink Ex1800T Firmware 9.1.0Cu.2112B20220316

TOTOlink EX1800T V9.1.0cu.2112_B20220316 is vulnerable to unauthorized arbitrary command execution in the ‘apcliAuthMode’ parameter of the setWiFiExtenderConfig interface of the cstecgi .cgi.

9.8
2023-12-22 CVE-2023-51028 Totolink OS Command Injection vulnerability in Totolink Ex1800T Firmware 9.1.0Cu.2112B20220316

TOTOLINK EX1800T 9.1.0cu.2112_B20220316 is vulnerable to unauthorized arbitrary command execution in the apcliChannel parameter of the setWiFiExtenderConfig interface of the cstecgi.cgi.

9.8
2023-12-22 CVE-2023-49792 Nextcloud Improper Restriction of Excessive Authentication Attempts vulnerability in Nextcloud Server

Nextcloud Server provides data storage for Nextcloud, an open source cloud platform.

9.8
2023-12-22 CVE-2023-42017 IBM Unrestricted Upload of File with Dangerous Type vulnerability in IBM Planning Analytics 2.0

IBM Planning Analytics Local 2.0 could allow a remote attacker to upload arbitrary files, caused by the improper validation of file extensions.

9.8
2023-12-22 CVE-2023-7058 Oretnom23 Path Traversal: '../filedir' vulnerability in Oretnom23 Simple Student Attendance System 1.0

A vulnerability was found in SourceCodester Simple Student Attendance System 1.0.

9.8
2023-12-22 CVE-2022-47532 Filerun SQL Injection vulnerability in Filerun 20220519

FileRun 20220519 allows SQL Injection via the "dir" parameter in a /?module=users&section=cpanel&page=list request.

9.8
2023-12-22 CVE-2023-51707 Arraynetworks Command Injection vulnerability in Arraynetworks Arrayos AG

MotionPro in Array ArrayOS AG before 9.4.0.505 on AG and vxAG allows remote command execution via crafted packets.

9.8
2023-12-22 CVE-2023-49688 Kashipara SQL Injection vulnerability in Kashipara JOB Portal 1.0

Job Portal v1.0 is vulnerable to multiple Unauthenticated SQL Injection vulnerabilities. The 'txtUser' parameter of the login.php resource does not validate the characters received and they are sent unfiltered to the database.

9.8
2023-12-22 CVE-2023-49689 Kashipara SQL Injection vulnerability in Kashipara JOB Portal 1.0

Job Portal v1.0 is vulnerable to multiple Unauthenticated SQL Injection vulnerabilities. The 'JobId' parameter of the Employer/DeleteJob.php resource does not validate the characters received and they are sent unfiltered to the database.

9.8
2023-12-21 CVE-2023-49677 Kashipara SQL Injection vulnerability in Kashipara JOB Portal 1.0

Job Portal v1.0 is vulnerable to multiple Unauthenticated SQL Injection vulnerabilities. The 'cmbQual' parameter of the Employer/InsertJob.php resource does not validate the characters received and they are sent unfiltered to the database.

9.8
2023-12-21 CVE-2023-49681 Kashipara SQL Injection vulnerability in Kashipara JOB Portal 1.0

Job Portal v1.0 is vulnerable to multiple Unauthenticated SQL Injection vulnerabilities. The 'cmbQual' parameter of the Employer/InsertWalkin.php resource does not validate the characters received and they are sent unfiltered to the database.

9.8
2023-12-21 CVE-2023-48685 Projectworlds SQL Injection vulnerability in Projectworlds Railway Reservation System 1.0

Railway Reservation System v1.0 is vulnerable to multiple Unauthenticated SQL Injection vulnerabilities. The 'psd' parameter of the login.php resource does not validate the characters received and they are sent unfiltered to the database.

9.8
2023-12-21 CVE-2023-48687 Projectworlds SQL Injection vulnerability in Projectworlds Railway Reservation System 1.0

Railway Reservation System v1.0 is vulnerable to multiple Unauthenticated SQL Injection vulnerabilities. The 'from' parameter of the reservation.php resource does not validate the characters received and they are sent unfiltered to the database.

9.8
2023-12-21 CVE-2023-48689 Projectworlds SQL Injection vulnerability in Projectworlds Railway Reservation System 1.0

Railway Reservation System v1.0 is vulnerable to multiple Unauthenticated SQL Injection vulnerabilities. The 'byname' parameter of the train.php resource does not validate the characters received and they are sent unfiltered to the database.

9.8
2023-12-21 CVE-2023-48716 Projectworlds SQL Injection vulnerability in Projectworlds Student Result Management System 1.0

Student Result Management System v1.0 is vulnerable to multiple Unauthenticated SQL Injection vulnerabilities. The 'class_id' parameter of the add_classes.php resource does not validate the characters received and they are sent unfiltered to the database.

9.8
2023-12-21 CVE-2023-48718 Phpgurukul SQL Injection vulnerability in PHPgurukul Student Result Management System 1.0

Student Result Management System v1.0 is vulnerable to multiple Unauthenticated SQL Injection vulnerabilities. The 'class_name' parameter of the add_students.php resource does not validate the characters received and they are sent unfiltered to the database.

9.8
2023-12-21 CVE-2023-48720 Phpgurukul SQL Injection vulnerability in PHPgurukul Student Result Management System 1.0

Student Result Management System v1.0 is vulnerable to multiple Unauthenticated SQL Injection vulnerabilities. The 'password' parameter of the login.php resource does not validate the characters received and they are sent unfiltered to the database.

9.8
2023-12-21 CVE-2023-48722 Phpgurukul SQL Injection vulnerability in PHPgurukul Student Result Management System 1.0

Student Result Management System v1.0 is vulnerable to multiple Unauthenticated SQL Injection vulnerabilities. The 'class_name' parameter of the add_results.php resource does not validate the characters received and they are sent unfiltered to the database.

9.8
2023-12-21 CVE-2023-7039 Byzoro Unspecified vulnerability in Byzoro Smart S210 Firmware 20231121

A vulnerability classified as critical has been found in Beijing Baichuo S210 up to 20231210.

9.8
2023-12-21 CVE-2023-51048 S CMS SQL Injection vulnerability in S-Cms 5.0

S-CMS v5.0 was discovered to contain a SQL injection vulnerability via the A_newsauth parameter at /admin/ajax.php.

9.8
2023-12-21 CVE-2023-51049 S CMS SQL Injection vulnerability in S-Cms 5.0

S-CMS v5.0 was discovered to contain a SQL injection vulnerability via the A_bbsauth parameter at /admin/ajax.php.

9.8
2023-12-21 CVE-2023-51050 S CMS SQL Injection vulnerability in S-Cms 5.0

S-CMS v5.0 was discovered to contain a SQL injection vulnerability via the A_productauth parameter at /admin/ajax.php.

9.8
2023-12-21 CVE-2023-51051 S CMS SQL Injection vulnerability in S-Cms 5.0

S-CMS v5.0 was discovered to contain a SQL injection vulnerability via the A_textauth parameter at /admin/ajax.php.

9.8
2023-12-21 CVE-2023-51052 S CMS SQL Injection vulnerability in S-Cms 5.0

S-CMS v5.0 was discovered to contain a SQL injection vulnerability via the A_formauth parameter at /admin/ajax.php.

9.8
2023-12-21 CVE-2023-6145 Softomi SQL Injection vulnerability in Softomi Advanced C2C Marketplace Software

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in ?stanbul Soft Informatics and Consultancy Limited Company Softomi Advanced C2C Marketplace Software allows SQL Injection.This issue affects Softomi Advanced C2C Marketplace Software: before 12122023.

9.8
2023-12-21 CVE-2022-45377 Codedropz Unrestricted Upload of File with Dangerous Type vulnerability in Codedropz Drag and Drop multiple File Upload for Woocommerce

Unrestricted Upload of File with Dangerous Type vulnerability in Glen Don L.

9.8
2023-12-21 CVE-2023-32242 Xtemos Deserialization of Untrusted Data vulnerability in Xtemos Woodmart 1.0.36

Deserialization of Untrusted Data vulnerability in xtemos WoodMart - Multipurpose WooCommerce Theme.This issue affects WoodMart - Multipurpose WooCommerce Theme: from n/a through 1.0.36.

9.8
2023-12-21 CVE-2023-49778 Dmry Deserialization of Untrusted Data vulnerability in Dmry Sayfa Sayac 2.6

Deserialization of Untrusted Data vulnerability in Hakan Demiray Sayfa Sayac.This issue affects Sayfa Sayac: from n/a through 2.6.

9.8
2023-12-21 CVE-2023-49826 Pencidesign Deserialization of Untrusted Data vulnerability in Pencidesign Soledad

Deserialization of Untrusted Data vulnerability in PenciDesign Soledad – Multipurpose, Newspaper, Blog & WooCommerce WordPress Theme.This issue affects Soledad – Multipurpose, Newspaper, Blog & WooCommerce WordPress Theme: from n/a through 8.4.1.

9.8
2023-12-21 CVE-2023-51656 Apache Deserialization of Untrusted Data vulnerability in Apache Iotdb

Deserialization of Untrusted Data vulnerability in Apache IoTDB.This issue affects Apache IoTDB: from 0.13.0 through 0.13.4. Users are recommended to upgrade to version 1.2.2, which fixes the issue.

9.8
2023-12-21 CVE-2023-50477 NOS Unspecified vulnerability in NOS Client 0.6.6

An issue was discovered in nos client version 0.6.6, allows remote attackers to escalate privileges via getRPCEndpoint.js.

9.8
2023-12-21 CVE-2023-51655 Jetbrains Insufficient Verification of Data Authenticity vulnerability in Jetbrains Intellij Idea

In JetBrains IntelliJ IDEA before 2023.3.2 code execution was possible in Untrusted Project mode via a malicious plugin repository specified in the project configuration

9.8
2023-12-21 CVE-2023-7022 Tongda2000 SQL Injection vulnerability in Tongda2000 Office Anywhere 2017 11.9

A vulnerability was found in Tongda OA 2017 up to 11.9.

9.8
2023-12-21 CVE-2023-7023 Tongda2000 SQL Injection vulnerability in Tongda2000 Office Anywhere 2017 11.9

A vulnerability was found in Tongda OA 2017 up to 11.9.

9.8
2023-12-21 CVE-2023-29485 Heimdalsecurity Missing Authentication for Critical Function vulnerability in Heimdalsecurity Thor

An issue was discovered in Heimdal Thor agent versions 3.4.2 and before on Windows and 2.6.9 and before on macOS, allows attackers to bypass network filtering, execute arbitrary code, and obtain sensitive information via DarkLayer Guard threat prevention module.

9.8
2023-12-21 CVE-2023-29486 Heimdalsecurity Unspecified vulnerability in Heimdalsecurity Thor

An issue was discovered in Heimdal Thor agent versions 3.4.2 and before 3.7.0 on Windows, allows attackers to bypass USB access restrictions, execute arbitrary code, and obtain sensitive information via Next-Gen Antivirus component.

9.8
2023-12-21 CVE-2023-7020 Tongda2000 SQL Injection vulnerability in Tongda2000 Office Anywhere 2017 11.9

A vulnerability was found in Tongda OA 2017 up to 11.9 and classified as critical.

9.8
2023-12-21 CVE-2023-7021 Tongda2000 SQL Injection vulnerability in Tongda2000 Office Anywhere 2017 11.10/11.9

A vulnerability was found in Tongda OA 2017 up to 11.9.

9.8
2023-12-21 CVE-2023-49032 LTB Project Unspecified vulnerability in Ltb-Project Self Service Password

An issue in LTB Self Service Password before v.1.5.4 allows a remote attacker to execute arbitrary code and obtain sensitive information via hijack of the SMS verification code function to arbitrary phone.

9.8
2023-12-20 CVE-2023-50983 Tenda Command Injection vulnerability in Tenda I29 Firmware 1.0.0.2/1.0.0.5

Tenda i29 v1.0 V1.0.0.5 was discovered to contain a command injection vulnerability via the sysScheduleRebootSet function.

9.8
2023-12-20 CVE-2023-50984 Tenda Out-of-bounds Write vulnerability in Tenda I29 Firmware 1.0.0.2/1.0.0.5

Tenda i29 v1.0 V1.0.0.5 was discovered to contain a buffer overflow via the ip parameter in the spdtstConfigAndStart function.

9.8
2023-12-20 CVE-2023-50985 Tenda Out-of-bounds Write vulnerability in Tenda I29 Firmware 1.0.0.2/1.0.0.5

Tenda i29 v1.0 V1.0.0.5 was discovered to contain a buffer overflow via the lanGw parameter in the lanCfgSet function.

9.8
2023-12-20 CVE-2023-50986 Tenda Out-of-bounds Write vulnerability in Tenda I29 Firmware 1.0.0.2/1.0.0.5

Tenda i29 v1.0 V1.0.0.5 was discovered to contain a buffer overflow via the time parameter in the sysLogin function.

9.8
2023-12-20 CVE-2023-50987 Tenda Out-of-bounds Write vulnerability in Tenda I29 Firmware 1.0.0.2/1.0.0.5

Tenda i29 v1.0 V1.0.0.5 was discovered to contain a buffer overflow via the time parameter in the sysTimeInfoSet function.

9.8
2023-12-20 CVE-2023-50988 Tenda Out-of-bounds Write vulnerability in Tenda I29 Firmware 1.0.0.2/1.0.0.5

Tenda i29 v1.0 V1.0.0.5 was discovered to contain a buffer overflow via the bandwidth parameter in the wifiRadioSetIndoor function.

9.8
2023-12-20 CVE-2023-50989 Tenda Command Injection vulnerability in Tenda I29 Firmware 1.0.0.2/1.0.0.5

Tenda i29 v1.0 V1.0.0.5 was discovered to contain a command injection vulnerability via the pingSet function.

9.8
2023-12-20 CVE-2023-50990 Tenda Out-of-bounds Write vulnerability in Tenda I29 Firmware 1.0.0.2/1.0.0.5

Tenda i29 v1.0 V1.0.0.5 was discovered to contain a buffer overflow via the rebootTime parameter in the sysScheduleRebootSet function.

9.8
2023-12-20 CVE-2023-50992 Tenda Out-of-bounds Write vulnerability in Tenda I29 Firmware 1.0.0.2/1.0.0.5

Tenda i29 v1.0 V1.0.0.5 was discovered to contain a stack overflow via the ip parameter in the setPing function.

9.8
2023-12-20 CVE-2023-50993 Ruijie OS Command Injection vulnerability in Ruijie Rg-Ws6008 Firmware and Rg-Ws6108 Firmware

Ruijie WS6008 v1.x v2.x AC_RGOS11.9(6)W3B2_G2C6-01_10221911 and WS6108 v1.x AC_RGOS11.9(6)W3B2_G2C6-01_10221911 was discovered to contain a command injection vulnerability via the function downFiles.

9.8
2023-12-20 CVE-2023-48433 Projectworlds SQL Injection vulnerability in Projectworlds Online Voting System Project 1.0

Online Voting System Project v1.0 is vulnerable to multiple Unauthenticated SQL Injection vulnerabilities. The 'username' parameter of the login_action.php resource does not validate the characters received and they are sent unfiltered to the database.

9.8
2023-12-20 CVE-2023-48434 Projectworlds SQL Injection vulnerability in Projectworlds Online Voting System Project 1.0

Online Voting System Project v1.0 is vulnerable to multiple Unauthenticated SQL Injection vulnerabilities. The 'username' parameter of the reg_action.php resource does not validate the characters received and they are sent unfiltered to the database.

9.8
2023-12-20 CVE-2023-25970 Zendrop Unrestricted Upload of File with Dangerous Type vulnerability in Zendrop 1.0.0

Unrestricted Upload of File with Dangerous Type vulnerability in Zendrop Zendrop – Global Dropshipping.This issue affects Zendrop – Global Dropshipping: from n/a through 1.0.0.

9.8
2023-12-20 CVE-2023-29384 Hmplugin Unrestricted Upload of File with Dangerous Type vulnerability in Hmplugin Jobwp

Unrestricted Upload of File with Dangerous Type vulnerability in HM Plugin WordPress Job Board and Recruitment Plugin – JobWP.This issue affects WordPress Job Board and Recruitment Plugin – JobWP: from n/a through 2.0.

9.8
2023-12-20 CVE-2023-45603 Plugin Planet Unrestricted Upload of File with Dangerous Type vulnerability in Plugin-Planet User Submitted Posts

Unrestricted Upload of File with Dangerous Type vulnerability in Jeff Starr User Submitted Posts – Enable Users to Submit Posts from the Front End.This issue affects User Submitted Posts – Enable Users to Submit Posts from the Front End: from n/a through 20230902.

9.8
2023-12-20 CVE-2023-47990 Cuppacms SQL Injection vulnerability in Cuppacms 1.0

SQL Injection vulnerability in components/table_manager/html/edit_admin_table.php in CuppaCMS V1.0 allows attackers to run arbitrary SQL commands via the table parameter.

9.8
2023-12-20 CVE-2023-29432 Favethemes SQL Injection vulnerability in Favethemes Houzez 1.3.4

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Favethemes Houzez - Real Estate WordPress Theme.This issue affects Houzez - Real Estate WordPress Theme: from n/a before 2.8.3.

9.8
2023-12-20 CVE-2023-49752 Spoonthemes SQL Injection vulnerability in Spoonthemes Adifier

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Spoon themes Adifier - Classified Ads WordPress Theme.This issue affects Adifier - Classified Ads WordPress Theme: from n/a before 3.1.4.

9.8
2023-12-20 CVE-2023-47118 Clickhouse Out-of-bounds Write vulnerability in Clickhouse and Clickhouse Cloud

ClickHouse® is an open-source column-oriented database management system that allows generating analytical data reports in real-time.

9.8
2023-12-20 CVE-2023-35915 Automattic SQL Injection vulnerability in Automattic Woopayments

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Automattic WooPayments – Fully Integrated Solution Built and Supported by Woo.This issue affects WooPayments – Fully Integrated Solution Built and Supported by Woo: from n/a through 5.9.0.

9.8
2023-12-20 CVE-2023-49772 Phpbits Deserialization of Untrusted Data vulnerability in PHPbits Genesis Simple Love 2.0

Deserialization of Untrusted Data vulnerability in Phpbits Creative Studio Genesis Simple Love.This issue affects Genesis Simple Love: from n/a through 2.0.

9.8
2023-12-20 CVE-2023-49773 Bcorp Shortcodes Project Deserialization of Untrusted Data vulnerability in Bcorp Shortcodes Project Bcorp Shortcodes 0.23

Deserialization of Untrusted Data vulnerability in Tim Brattberg BCorp Shortcodes.This issue affects BCorp Shortcodes: from n/a through 0.23.

9.8
2023-12-20 CVE-2023-49776 Dmry SQL Injection vulnerability in Dmry Sayfa Sayac 2.6

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Hakan Demiray Sayfa Sayac.This issue affects Sayfa Sayac: from n/a through 2.6.

9.8
2023-12-20 CVE-2023-5007 Kashipara SQL Injection vulnerability in Kashipara Student Information System 1.0

Student Information System v1.0 is vulnerable to multiple Authenticated SQL Injection vulnerabilities.

9.8
2023-12-20 CVE-2023-5010 Kashipara SQL Injection vulnerability in Kashipara Student Information System 1.0

Student Information System v1.0 is vulnerable to multiple Authenticated SQL Injection vulnerabilities.

9.8
2023-12-20 CVE-2023-5011 Kashipara SQL Injection vulnerability in Kashipara Student Information System 1.0

Student Information System v1.0 is vulnerable to multiple Authenticated SQL Injection vulnerabilities.

9.8
2023-12-20 CVE-2023-28782 Gravityforms Deserialization of Untrusted Data vulnerability in Gravityforms Gravity Forms 2.7.3

Deserialization of Untrusted Data vulnerability in Rocketgenius Inc.

9.8
2023-12-20 CVE-2023-35895 IBM Injection vulnerability in IBM Informix Jdbc 4.10/4.50

IBM Informix JDBC Driver 4.10 and 4.50 is susceptible to remote code execution attack via JNDI injection when passing an unchecked argument to a certain API.

9.8
2023-12-20 CVE-2023-40010 Pluginus SQL Injection vulnerability in Pluginus Husky - products Filter Professional for Woocommerce

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in realmag777 HUSKY – Products Filter for WooCommerce Professional.This issue affects HUSKY – Products Filter for WooCommerce Professional: from n/a through 1.3.4.2.

9.8
2023-12-20 CVE-2023-40555 Uxthemes Deserialization of Untrusted Data vulnerability in Uxthemes Flatsome

Deserialization of Untrusted Data vulnerability in UX-themes Flatsome | Multi-Purpose Responsive WooCommerce Theme.This issue affects Flatsome | Multi-Purpose Responsive WooCommerce Theme: from n/a through 3.17.5.

9.8
2023-12-20 CVE-2023-47507 Averta Deserialization of Untrusted Data vulnerability in Averta Master Slider PRO 3.6.5

Deserialization of Untrusted Data vulnerability in Master Slider Master Slider Pro.This issue affects Master Slider Pro: from n/a through 3.6.5.

9.8
2023-12-20 CVE-2023-6768 MR Corner Improper Authentication vulnerability in Mr-Corner Amazing Little Poll 1.3/1.4

Authentication bypass vulnerability in Amazing Little Poll affecting versions 1.3 and 1.4.

9.8
2023-12-20 CVE-2023-6912 M Files Improper Restriction of Excessive Authentication Attempts vulnerability in M-Files Server

Lack of protection against brute force attacks in M-Files Server before 23.12.13205.0 allows an attacker unlimited authentication attempts, potentially compromising targeted M-Files user accounts by guessing passwords.

9.8
2023-12-20 CVE-2023-50044 Cesanta Classic Buffer Overflow vulnerability in Cesanta MJS 2.22.0

Cesanta MJS 2.20.0 has a getprop_builtin_foreign out-of-bounds read if a Built-in API name occurs in a substring of an input string.

9.8
2023-12-20 CVE-2023-50628 Libming Classic Buffer Overflow vulnerability in Libming 0.4.8

Buffer Overflow vulnerability in libming version 0.4.8, allows attackers to execute arbitrary code and obtain sensitive information via parser.c component.

9.8
2023-12-20 CVE-2023-6974 Lfprojects Server-Side Request Forgery (SSRF) vulnerability in Lfprojects Mlflow

A malicious user could use this issue to access internal HTTP(s) servers and in the worst case (ie: aws instance) it could be abuse to get a remote code execution on the victim machine.

9.8
2023-12-20 CVE-2023-6975 Lfprojects Path Traversal: '..filename' vulnerability in Lfprojects Mlflow

A malicious user could use this issue to get command execution on the vulnerable machine and get access to data & models information.

9.8
2023-12-20 CVE-2023-45887 Nintendo Unspecified vulnerability in Nintendo DS Wireless Communication 11/3

DS Wireless Communication (DWC) with DWC_VERSION_3 and DWC_VERSION_11 allows remote attackers to execute arbitrary code on a game-playing client's machine via a modified GPCM message.

9.8
2023-12-19 CVE-2023-6928 Eurotel Improper Restriction of Excessive Authentication Attempts vulnerability in Eurotel Etl3100 Firmware 01C01/01X37

EuroTel ETL3100 versions v01c01 and v01x37 does not limit the number of attempts to guess administrative credentials in remote password attacks to gain full control of the system.

9.8
2023-12-19 CVE-2023-6929 Eurotel Authorization Bypass Through User-Controlled Key vulnerability in Eurotel Etl3100 Firmware 01C01/01X37

EuroTel ETL3100 versions v01c01 and v01x37 are vulnerable to insecure direct object references that occur when the application provides direct access to objects based on user-supplied input.

9.8
2023-12-19 CVE-2023-6930 Eurotel Unspecified vulnerability in Eurotel Etl3100 Firmware 01C01/01X37

EuroTel ETL3100 versions v01c01 and v01x37 suffer from an unauthenticated configuration and log download vulnerability.

9.8
2023-12-19 CVE-2023-47267 Thegreenbow Improper Privilege Management vulnerability in Thegreenbow products

An issue discovered in TheGreenBow Windows Enterprise Certified VPN Client 6.52, Windows Standard VPN Client 6.87, and Windows Enterprise VPN Client 6.87 allows attackers to gain escalated privileges via crafted changes to memory mapped file.

9.8
2023-12-19 CVE-2023-49004 Dlink Code Injection vulnerability in Dlink Dir-850L Firmware Fw223Wwb01

An issue in D-Link DIR-850L v.B1_FW223WWb01 allows a remote attacker to execute arbitrary code via a crafted script to the en parameter.

9.8
2023-12-19 CVE-2023-48738 Portotheme SQL Injection vulnerability in Portotheme Functionality

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Porto Theme Porto Theme - Functionality.This issue affects Porto Theme - Functionality: from n/a before 2.12.1.

9.8
2023-12-19 CVE-2023-49750 Spoonthemes SQL Injection vulnerability in Spoonthemes Couponis

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Spoonthemes Couponis - Affiliate & Submitting Coupons WordPress Theme.This issue affects Couponis - Affiliate & Submitting Coupons WordPress Theme: from n/a before 2.2.

9.8
2023-12-19 CVE-2023-34027 Rajarora795 Deserialization of Untrusted Data vulnerability in Rajarora795 Recently Viewed products

Deserialization of Untrusted Data vulnerability in Rajnish Arora Recently Viewed Products.This issue affects Recently Viewed Products: from n/a through 1.0.0.

9.8
2023-12-19 CVE-2023-37390 Themesflat Deserialization of Untrusted Data vulnerability in Themesflat Addons for Elementor 2.0.0

Deserialization of Untrusted Data vulnerability in Themesflat Themesflat Addons For Elementor.This issue affects Themesflat Addons For Elementor: from n/a through 2.0.0.

9.8
2023-12-19 CVE-2023-41727 Ivanti Out-of-bounds Write vulnerability in Ivanti Avalanche

An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corruption which could result to a Denial of Service (DoS) or code execution.

9.8
2023-12-19 CVE-2023-46216 Ivanti Out-of-bounds Write vulnerability in Ivanti Avalanche

An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corruption which could result to a Denial of Service (DoS) or code execution.

9.8
2023-12-19 CVE-2023-46217 Ivanti Out-of-bounds Write vulnerability in Ivanti Avalanche

An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corruption which could result to a Denial of Service (DoS) or code execution.

9.8
2023-12-19 CVE-2023-46220 Ivanti Out-of-bounds Write vulnerability in Ivanti Avalanche

An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corruption which could result to a Denial of Service (DoS) or code execution.

9.8
2023-12-19 CVE-2023-46221 Ivanti Out-of-bounds Write vulnerability in Ivanti Avalanche

An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corruption which could result to a Denial of Service (DoS) or code execution.

9.8
2023-12-19 CVE-2023-46222 Ivanti Out-of-bounds Write vulnerability in Ivanti Avalanche

An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corruption which could result to a Denial of Service (DoS) or code execution.

9.8
2023-12-19 CVE-2023-46223 Ivanti Out-of-bounds Write vulnerability in Ivanti Avalanche

An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corruption which could result to a Denial of Service (DoS) or code execution.

9.8
2023-12-19 CVE-2023-46224 Ivanti Out-of-bounds Write vulnerability in Ivanti Avalanche

An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corruption which could result to a Denial of Service (DoS) or code execution.

9.8
2023-12-19 CVE-2023-46225 Ivanti Out-of-bounds Write vulnerability in Ivanti Avalanche

An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corruption which could result to a Denial of Service (DoS) or code execution.

9.8
2023-12-19 CVE-2023-46257 Ivanti Out-of-bounds Write vulnerability in Ivanti Avalanche

An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corruption which could result to a Denial of Service (DoS) or code execution.

9.8
2023-12-19 CVE-2023-46258 Ivanti Out-of-bounds Write vulnerability in Ivanti Avalanche

An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corruption which could result to a Denial of Service (DoS) or code execution.

9.8
2023-12-19 CVE-2023-46259 Ivanti Out-of-bounds Write vulnerability in Ivanti Avalanche

An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corruption which could result to a Denial of Service (DoS) or code execution.

9.8
2023-12-19 CVE-2023-46260 Ivanti Out-of-bounds Write vulnerability in Ivanti Avalanche

An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corruption which could result to a Denial of Service (DoS) or code execution.

9.8
2023-12-19 CVE-2023-46261 Ivanti Out-of-bounds Write vulnerability in Ivanti Avalanche

An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corruption which could result to a Denial of Service (DoS) or code execution.

9.8
2023-12-19 CVE-2023-46263 Ivanti Unrestricted Upload of File with Dangerous Type vulnerability in Ivanti Avalanche

An unrestricted upload of file with dangerous type vulnerability exists in Avalanche versions 6.4.1 and below that could allow an attacker to achieve a remote code execution.

9.8
2023-12-19 CVE-2023-46264 Ivanti Unrestricted Upload of File with Dangerous Type vulnerability in Ivanti Avalanche

An unrestricted upload of file with dangerous type vulnerability exists in Avalanche versions 6.4.1 and below that could allow an attacker to achieve a remove code execution.

9.8
2023-12-19 CVE-2023-46265 Ivanti XXE vulnerability in Ivanti Avalanche

An unauthenticated could abuse a XXE vulnerability in the Smart Device Server to leak data or perform a Server-Side Request Forgery (SSRF).

9.8
2023-12-19 CVE-2023-50272 HPE Unspecified vulnerability in HPE products

A potential security vulnerability has been identified in HPE Integrated Lights-Out 5 (iLO 5) and Integrated Lights-Out 6 (iLO 6).

9.8
2023-12-19 CVE-2023-43870 Paxton Access Use of Hard-coded Credentials vulnerability in Paxton-Access Net2 6.02/6.07

When installing the Net2 software a root certificate is installed into the trusted store.

9.8
2023-12-19 CVE-2019-25158 Pedroetb OS Command Injection vulnerability in Pedroetb Tts-Api

A vulnerability has been found in pedroetb tts-api up to 2.1.4 and classified as critical.

9.8
2023-12-19 CVE-2023-47754 Cleverplugins Missing Authorization vulnerability in Cleverplugins Delete Duplicate Posts

Missing Authorization vulnerability in Clever plugins Delete Duplicate Posts allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Delete Duplicate Posts: from n/a through 4.8.9.

9.8
2023-12-19 CVE-2023-49819 Wpsc Plugin Deserialization of Untrusted Data vulnerability in Wpsc-Plugin Structured Content

Deserialization of Untrusted Data vulnerability in Gordon Böhme, Antonio Leutsch Structured Content (JSON-LD) #wpsc.This issue affects Structured Content (JSON-LD) #wpsc: from n/a through 1.5.3.

9.8
2023-12-18 CVE-2023-6272 Thememylogin Improper Restriction of Excessive Authentication Attempts vulnerability in Thememylogin 2FA

The Theme My Login 2FA WordPress plugin before 1.2 does not rate limit 2FA validation attempts, which may allow an attacker to brute-force all possibilities, which shouldn't be too long, as the 2FA codes are 6 digits.

9.8
2023-12-18 CVE-2023-32728 Zabbix Code Injection vulnerability in Zabbix Zabbix-Agent2

The Zabbix Agent 2 item key smart.disk.get does not sanitize its parameters before passing them to a shell command resulting possible vulnerability for remote code execution.

9.8
2023-12-18 CVE-2023-6483 Aditaas Improper Authentication vulnerability in Aditaas Allied Digital Integrated Tool-As-A-Service 5.1

The vulnerability exists in ADiTaaS (Allied Digital Integrated Tool-as-a-Service) version 5.1 due to an improper authentication vulnerability in the ADiTaaS backend API.

9.8
2023-12-18 CVE-2023-6906 Totolink Classic Buffer Overflow vulnerability in Totolink A7100Ru Firmware 7.4Cu.2313B20191024

A vulnerability, which was classified as critical, was found in Totolink A7100RU 7.4cu.2313_B20191024.

9.8
2023-12-18 CVE-2023-50976 Redpanda Missing Authorization vulnerability in Redpanda

Redpanda before 23.1.21 and 23.2.x before 23.2.18 has missing authorization checks in the Transactions API.

9.8
2023-12-18 CVE-2023-6905 Nxfilter LDAP Injection vulnerability in Nxfilter 4.3.2.5

A vulnerability, which was classified as problematic, has been found in Jahastech NxFilter 4.3.2.5.

9.8
2023-12-22 CVE-2023-50731 Mindsdb Path Traversal vulnerability in Mindsdb

MindsDB is a SQL Server for artificial intelligence.

9.1
2023-12-21 CVE-2023-50475 Bcoin Use of a Broken or Risky Cryptographic Algorithm vulnerability in Bcoin 2.2.0

An issue was discovered in bcoin-org bcoin version 2.2.0, allows remote attackers to obtain sensitive information via weak hashing algorithms in the component \vendor\faye-websocket.js.

9.1
2023-12-21 CVE-2023-29487 Heimdalsecurity Unspecified vulnerability in Heimdalsecurity Thor

An issue was discovered in Heimdal Thor agent versions 3.4.2 and before on Windows and 2.6.9 and before on macOS, allows attackers to cause a denial of service (DoS) via the Threat To Process Correlation threat prevention module.

9.1
2023-12-20 CVE-2023-49161 Guelbetech SQL Injection vulnerability in Guelbetech Bravo Translate 1.2

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Guelben Bravo Translate.This issue affects Bravo Translate: from n/a through 1.2.

9.1
2023-12-20 CVE-2023-49166 Magiclogix SQL Injection vulnerability in Magiclogix Msync

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Magic Logix MSync.This issue affects MSync: from n/a through 1.0.0.

9.1
2023-12-20 CVE-2023-47702 IBM Path Traversal vulnerability in IBM Security Guardium KEY Lifecycle Manager 4.2.0

IBM Security Guardium Key Lifecycle Manager 4.3 could allow a remote attacker to traverse directories on the system.

9.1
2023-12-20 CVE-2023-27172 Xpand IT Improper Restriction of Excessive Authentication Attempts vulnerability in Xpand-It Write-Back Manager 2.3.1

Xpand IT Write-back Manager v2.3.1 uses weak secret keys to sign JWT tokens.

9.1
2023-12-19 CVE-2021-22962 Ivanti Unspecified vulnerability in Ivanti Avalanche

An attacker can send a specially crafted request which could lead to leakage of sensitive data or potentially a resource-based DoS attack.

9.1
2023-12-19 CVE-2023-46266 Ivanti Unspecified vulnerability in Ivanti Avalanche

An attacker can send a specially crafted request which could lead to leakage of sensitive data or potentially a resource-based DoS attack.

9.1
2023-12-18 CVE-2023-6907 Codelyfe Improper Authentication vulnerability in Codelyfe Stupid Simple CMS

A vulnerability has been found in codelyfe Stupid Simple CMS up to 1.2.4 and classified as critical.

9.1
2023-12-22 CVE-2023-50928 Amazon Improper Access Control vulnerability in Amazon Awslabs Sandbox Accounts for Events

"Sandbox Accounts for Events" provides multiple, temporary AWS accounts to a number of authenticated users simultaneously via a browser-based GUI.

9.0

206 High Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2023-12-24 CVE-2023-7091 Iteachyou Unrestricted Upload of File with Dangerous Type vulnerability in Iteachyou Dreamer CMS 4.1.3

A vulnerability was found in Dreamer CMS 4.1.3.

8.8
2023-12-23 CVE-2023-7090 Sudo Project Improper Privilege Management vulnerability in Sudo Project Sudo

A flaw was found in sudo in the handling of ipa_hostname, where ipa_hostname from /etc/sssd/sssd.conf was not propagated in sudo.

8.8
2023-12-23 CVE-2023-5961 Moxa Cross-Site Request Forgery (CSRF) vulnerability in Moxa products

A Cross-Site Request Forgery (CSRF) vulnerability has been identified in ioLogik E1200 Series firmware versions v3.3 and prior.

8.8
2023-12-22 CVE-2023-51387 Dromara Code Injection vulnerability in Dromara Hertzbeat

Hertzbeat is an open source, real-time monitoring system.

8.8
2023-12-22 CVE-2023-50714 Yiiframework Improper Authentication vulnerability in Yiiframework Yii2-Authclient

yii2-authclient is an extension that adds OpenID, OAuth, OAuth2 and OpenId Connect consumers for the Yii framework 2.0.

8.8
2023-12-22 CVE-2023-49085 Cacti SQL Injection vulnerability in Cacti

Cacti provides an operational monitoring and fault management framework.

8.8
2023-12-22 CVE-2023-51448 Cacti SQL Injection vulnerability in Cacti 1.2.25

Cacti provides an operational monitoring and fault management framework.

8.8
2023-12-22 CVE-2023-7053 Phpgurukul Weak Password Requirements vulnerability in PHPgurukul Online Notes Sharing System 1.0

A vulnerability was found in PHPGurukul Online Notes Sharing System 1.0.

8.8
2023-12-21 CVE-2023-49084 Cacti PHP Remote File Inclusion vulnerability in Cacti 1.2.25

Cacti is a robust performance and fault management framework and a frontend to RRDTool - a Time Series Database (TSDB).

8.8
2023-12-21 CVE-2023-7024 Google
Debian
Fedoraproject
Out-of-bounds Write vulnerability in multiple products

Heap buffer overflow in WebRTC in Google Chrome prior to 120.0.6099.129 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

8.8
2023-12-21 CVE-2023-46647 Github Improper Privilege Management vulnerability in Github Enterprise Server

Improper privilege management in all versions of GitHub Enterprise Server allows users with authorized access to the management console with an editor role to escalate their privileges by making requests to the endpoint used for bootstrapping the instance. This vulnerability affected GitHub Enterprise Server version 3.8.0 and above and was fixed in version 3.8.12, 3.9.6, 3.10.3, and 3.11.0.

8.8
2023-12-21 CVE-2023-44481 Projectworlds SQL Injection vulnerability in Projectworlds Leave Management System 1.0

Leave Management System Project v1.0 is vulnerable to multiple Authenticated SQL Injection vulnerabilities. The 'setearnleave' parameter of the admin/setleaves.php resource does not validate the characters received and they are sent unfiltered to the database.

8.8
2023-12-21 CVE-2023-44482 Projectworlds SQL Injection vulnerability in Projectworlds Leave Management System 1.0

Leave Management System Project v1.0 is vulnerable to multiple Authenticated SQL Injection vulnerabilities. The 'setsickleave' parameter of the admin/setleaves.php resource does not validate the characters received and they are sent unfiltered to the database.

8.8
2023-12-21 CVE-2023-45120 Projectworlds SQL Injection vulnerability in Projectworlds Online Examination System 1.0

Online Examination System v1.0 is vulnerable to multiple Authenticated SQL Injection vulnerabilities. The 'qid' parameter of the /update.php?q=quiz&step=2 resource does not validate the characters received and they are sent unfiltered to the database.

8.8
2023-12-21 CVE-2023-45121 Projectworlds SQL Injection vulnerability in Projectworlds Online Examination System 1.0

Online Examination System v1.0 is vulnerable to multiple Authenticated SQL Injection vulnerabilities. The 'desc' parameter of the /update.php?q=addquiz resource does not validate the characters received and they are sent unfiltered to the database.

8.8
2023-12-21 CVE-2023-7037 Automad Server-Side Request Forgery (SSRF) vulnerability in Automad

A vulnerability was found in automad up to 1.10.9.

8.8
2023-12-21 CVE-2023-45115 Projectworlds SQL Injection vulnerability in Projectworlds Online Examination System 1.0

Online Examination System v1.0 is vulnerable to multiple Authenticated SQL Injection vulnerabilities. The 'ch' parameter of the /update.php?q=addqns resource does not validate the characters received and they are sent unfiltered to the database.

8.8
2023-12-21 CVE-2023-45116 Projectworlds SQL Injection vulnerability in Projectworlds Online Examination System 1.0

Online Examination System v1.0 is vulnerable to multiple Authenticated SQL Injection vulnerabilities. The 'demail' parameter of the /update.php resource does not validate the characters received and they are sent unfiltered to the database.

8.8
2023-12-21 CVE-2023-45117 Projectworlds SQL Injection vulnerability in Projectworlds Online Examination System 1.0

Online Examination System v1.0 is vulnerable to multiple Authenticated SQL Injection vulnerabilities. The 'eid' parameter of the /update.php?q=rmquiz resource does not validate the characters received and they are sent unfiltered to the database.

8.8
2023-12-21 CVE-2023-45118 Projectworlds SQL Injection vulnerability in Projectworlds Online Examination System 1.0

Online Examination System v1.0 is vulnerable to multiple Authenticated SQL Injection vulnerabilities. The 'fdid' parameter of the /update.php resource does not validate the characters received and they are sent unfiltered to the database.

8.8
2023-12-21 CVE-2023-45119 Projectworlds SQL Injection vulnerability in Projectworlds Online Examination System 1.0

Online Examination System v1.0 is vulnerable to multiple Authenticated SQL Injection vulnerabilities. The 'n' parameter of the /update.php?q=quiz resource does not validate the characters received and they are sent unfiltered to the database.

8.8
2023-12-21 CVE-2023-22674 Halgatewood Missing Authorization vulnerability in Halgatewood Dashicons + Custom Post Types 1.0.2

Missing Authorization, Cross-Site Request Forgery (CSRF) vulnerability in Hal Gatewood Dashicons + Custom Post Types.This issue affects Dashicons + Custom Post Types: from n/a through 1.0.2.

8.8
2023-12-20 CVE-2023-23970 Woorockets Unrestricted Upload of File with Dangerous Type vulnerability in Woorockets Corsa

Unrestricted Upload of File with Dangerous Type vulnerability in WooRockets Corsa.This issue affects Corsa: from n/a through 1.5.

8.8
2023-12-20 CVE-2023-31215 Amadercode Unrestricted Upload of File with Dangerous Type vulnerability in Amadercode Dropshipping & Affiliation With Amazon

Unrestricted Upload of File with Dangerous Type vulnerability in AmaderCode Lab Dropshipping & Affiliation with Amazon.This issue affects Dropshipping & Affiliation with Amazon: from n/a through 2.1.2.

8.8
2023-12-20 CVE-2023-33318 Woocommerce Unrestricted Upload of File with Dangerous Type vulnerability in Woocommerce Automatewoo

Unrestricted Upload of File with Dangerous Type vulnerability in WooCommerce AutomateWoo.This issue affects AutomateWoo: from n/a through 4.9.40.

8.8
2023-12-20 CVE-2023-34007 Wpchill Unrestricted Upload of File with Dangerous Type vulnerability in Wpchill Download Monitor

Unrestricted Upload of File with Dangerous Type vulnerability in WPChill Download Monitor.This issue affects Download Monitor: from n/a through 4.8.3.

8.8
2023-12-20 CVE-2023-34385 Akshaymenariya Unrestricted Upload of File with Dangerous Type vulnerability in Akshaymenariya Export Import Menus

Unrestricted Upload of File with Dangerous Type vulnerability in Akshay Menariya Export Import Menus.This issue affects Export Import Menus: from n/a through 1.8.0.

8.8
2023-12-20 CVE-2023-46149 Themify Unrestricted Upload of File with Dangerous Type vulnerability in Themify Ultra

Unrestricted Upload of File with Dangerous Type vulnerability in Themify Themify Ultra.This issue affects Themify Ultra: from n/a through 7.3.5.

8.8
2023-12-20 CVE-2023-47784 Themepunch Unrestricted Upload of File with Dangerous Type vulnerability in Themepunch Slider Revolution 3.0.95/4.1.4/4.2.2

Unrestricted Upload of File with Dangerous Type vulnerability in ThemePunch OHG Slider Revolution.This issue affects Slider Revolution: from n/a through 6.6.15.

8.8
2023-12-20 CVE-2023-28788 Pagevisitcounter SQL Injection vulnerability in Pagevisitcounter Advanced Page Visit Counter

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Page Visit Counter Advanced Page Visit Counter – Most Wanted Analytics Plugin for WordPress.This issue affects Advanced Page Visit Counter – Most Wanted Analytics Plugin for WordPress: from n/a through 6.4.2.

8.8
2023-12-20 CVE-2023-29096 Bestwebsoft SQL Injection vulnerability in Bestwebsoft Contact Form to DB

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in BestWebSoft Contact Form to DB by BestWebSoft – Messages Database Plugin For WordPress.This issue affects Contact Form to DB by BestWebSoft – Messages Database Plugin For WordPress: from n/a through 1.7.0.

8.8
2023-12-20 CVE-2023-46147 Themify Deserialization of Untrusted Data vulnerability in Themify Ultra 7.3.5

Deserialization of Untrusted Data vulnerability in Themify Themify Ultra.This issue affects Themify Ultra: from n/a through 7.3.5.

8.8
2023-12-20 CVE-2023-6976 Lfprojects Unrestricted Upload of File with Dangerous Type vulnerability in Lfprojects Mlflow

This vulnerability is capable of writing arbitrary files into arbitrary locations on the remote filesystem in the context of the server process.

8.8
2023-12-20 CVE-2023-47706 IBM Unrestricted Upload of File with Dangerous Type vulnerability in IBM Security Guardium KEY Lifecycle Manager 4.2.0

IBM Security Guardium Key Lifecycle Manager 4.3 could allow an authenticated user to upload files of a dangerous file type.

8.8
2023-12-20 CVE-2023-6689 Efacec Cross-Site Request Forgery (CSRF) vulnerability in Efacec BCU 500 Firmware 4.07

A successful CSRF attack could force the user to perform state changing requests on the application.

8.8
2023-12-19 CVE-2023-49164 Oceanwp Cross-Site Request Forgery (CSRF) vulnerability in Oceanwp Ocean Extra

Cross-Site Request Forgery (CSRF) vulnerability in OceanWP Ocean Extra.This issue affects Ocean Extra: from n/a through 2.2.2.

8.8
2023-12-19 CVE-2023-50835 Praveengoswami Cross-Site Request Forgery (CSRF) vulnerability in Praveengoswami Advanced Category Template 0.1

Cross-Site Request Forgery (CSRF) vulnerability in Praveen Goswami Advanced Category Template.This issue affects Advanced Category Template: from n/a through 0.1.

8.8
2023-12-19 CVE-2023-50466 Weintek OS Command Injection vulnerability in Weintek Cmt2078X Firmware 2.1.3

An authenticated command injection vulnerability in Weintek cMT2078X easyweb Web Version v2.1.3, OS v20220215 allows attackers to execute arbitrary code or access sensitive information via injecting a crafted payload into the HMI Name parameter.

8.8
2023-12-19 CVE-2023-34382 Wedevs Deserialization of Untrusted Data vulnerability in Wedevs Dokan

Deserialization of Untrusted Data vulnerability in weDevs Dokan – Best WooCommerce Multivendor Marketplace Solution – Build Your Own Amazon, eBay, Etsy.This issue affects Dokan – Best WooCommerce Multivendor Marketplace Solution – Build Your Own Amazon, eBay, Etsy: from n/a through 3.7.19.

8.8
2023-12-19 CVE-2023-43826 Apache Integer Overflow or Wraparound vulnerability in Apache Guacamole

Apache Guacamole 1.5.3 and older do not consistently ensure that values received from a VNC server will not result in integer overflow.

8.8
2023-12-19 CVE-2023-6856 Mozilla
Debian
Out-of-bounds Write vulnerability in multiple products

The WebGL `DrawElementsInstanced` method was susceptible to a heap buffer overflow when used on systems with the Mesa VM driver.

8.8
2023-12-19 CVE-2023-6858 Mozilla
Debian
Out-of-bounds Write vulnerability in multiple products

Firefox was susceptible to a heap buffer overflow in `nsTextFragment` due to insufficient OOM handling.

8.8
2023-12-19 CVE-2023-6859 Mozilla
Debian
Use After Free vulnerability in multiple products

A use-after-free condition affected TLS socket creation when under memory pressure.

8.8
2023-12-19 CVE-2023-6861 Mozilla
Debian
Out-of-bounds Write vulnerability in multiple products

The `nsWindow::PickerOpen(void)` method was susceptible to a heap buffer overflow when running in headless mode.

8.8
2023-12-19 CVE-2023-6862 Mozilla
Debian
Use After Free vulnerability in multiple products

A use-after-free was identified in the `nsDNSService::Init`.

8.8
2023-12-19 CVE-2023-6863 Mozilla
Debian
The `ShutdownObserver()` was susceptible to potentially undefined behavior due to its reliance on a dynamic type that lacked a virtual destructor.
8.8
2023-12-19 CVE-2023-6864 Mozilla
Debian
Out-of-bounds Write vulnerability in multiple products

Memory safety bugs present in Firefox 120, Firefox ESR 115.5, and Thunderbird 115.5.

8.8
2023-12-19 CVE-2023-6866 Mozilla Improper Handling of Exceptional Conditions vulnerability in Mozilla Firefox

TypedArrays can be fallible and lacked proper exception handling.

8.8
2023-12-19 CVE-2023-6873 Mozilla
Debian
Out-of-bounds Write vulnerability in multiple products

Memory safety bugs present in Firefox 120.

8.8
2023-12-19 CVE-2023-6730 Huggingface Deserialization of Untrusted Data vulnerability in Huggingface Transformers

Deserialization of Untrusted Data in GitHub repository huggingface/transformers prior to 4.36.

8.8
2023-12-19 CVE-2023-49736 Apache SQL Injection vulnerability in Apache Superset

A where_in JINJA macro allows users to specify a quote, which combined with a carefully crafted statement would allow for SQL injection in Apache Superset.This issue affects Apache Superset: before 2.1.2, from 3.0.0 before 3.0.2. Users are recommended to upgrade to version 3.0.2, which fixes the issue.

8.8
2023-12-19 CVE-2023-6940 Lfprojects Command Injection vulnerability in Lfprojects Mlflow

with only one user interaction(download a malicious config), attackers can gain full command execution on the victim system.

8.8
2023-12-19 CVE-2023-46212 Wpvnteam Missing Authorization vulnerability in Wpvnteam WP Extra

Missing Authorization, Cross-Site Request Forgery (CSRF) vulnerability in TienCOP WP EXtra allows Accessing Functionality Not Properly Constrained by ACLs, Cross Site Request Forgery.This issue affects WP EXtra: from n/a through 6.2.

8.8
2023-12-19 CVE-2023-48751 Xnau Missing Authorization vulnerability in Xnau Participants Database

Missing Authorization, Cross-Site Request Forgery (CSRF) vulnerability in Roland Barker, xnau webdesign Participants Database allows Accessing Functionality Not Properly Constrained by ACLs, Cross Site Request Forgery.This issue affects Participants Database: from n/a through 2.5.5.

8.8
2023-12-18 CVE-2023-34168 Esiteq SQL Injection vulnerability in Esiteq WP Report Post 2.1.2

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Alex Raven WP Report Post allows SQL Injection.This issue affects WP Report Post: from n/a through 2.1.2.

8.8
2023-12-18 CVE-2023-47506 Masterslider SQL Injection vulnerability in Masterslider Master Slider

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Master slider Master Slider Pro allows SQL Injection.This issue affects Master Slider Pro: from n/a through 3.6.5.

8.8
2023-12-18 CVE-2023-49153 Codeastrology Cross-Site Request Forgery (CSRF) vulnerability in Codeastrology ADD to Cart Text Changer and Customize Button, ADD Custom Icon

Cross-Site Request Forgery (CSRF) vulnerability in Saiful Islam Add to Cart Text Changer and Customize Button, Add Custom Icon.This issue affects Add to Cart Text Changer and Customize Button, Add Custom Icon: from n/a through 2.0.

8.8
2023-12-18 CVE-2023-49155 WOW Company Cross-Site Request Forgery (CSRF) vulnerability in Wow-Company Button Generator

Cross-Site Request Forgery (CSRF) vulnerability in Wow-Company Button Generator – easily Button Builder.This issue affects Button Generator – easily Button Builder: from n/a through 2.3.8.

8.8
2023-12-18 CVE-2023-49163 Mtrv Cross-Site Request Forgery (CSRF) vulnerability in Mtrv Teachpress

Cross-Site Request Forgery (CSRF) vulnerability in Michael Winkler teachPress.This issue affects teachPress: from n/a through 9.0.5.

8.8
2023-12-18 CVE-2023-49759 Gvectors Cross-Site Request Forgery (CSRF) vulnerability in Gvectors Woodiscuz - Woocommerce Comments

Cross-Site Request Forgery (CSRF) vulnerability in gVectors Team WooDiscuz – WooCommerce Comments.This issue affects WooDiscuz – WooCommerce Comments: from n/a through 2.3.0.

8.8
2023-12-18 CVE-2023-49760 Giannopouloskostas Cross-Site Request Forgery (CSRF) vulnerability in Giannopouloskostas Wpsoononlinepage

Cross-Site Request Forgery (CSRF) vulnerability in Giannopoulos Kostas WPsoonOnlinePage.This issue affects WPsoonOnlinePage: from n/a through 1.9.

8.8
2023-12-18 CVE-2023-49761 Gravitymaster Cross-Site Request Forgery (CSRF) vulnerability in Gravitymaster Product Enquiry for Woocommerce 3.0

Cross-Site Request Forgery (CSRF) vulnerability in Gravity Master Product Enquiry for WooCommerce.This issue affects Product Enquiry for WooCommerce: from n/a through 3.0.

8.8
2023-12-18 CVE-2023-49763 Creatomatic Cross-Site Request Forgery (CSRF) vulnerability in Creatomatic Csprite

Cross-Site Request Forgery (CSRF) vulnerability in Creatomatic Ltd CSprite.This issue affects CSprite: from n/a through 1.1.

8.8
2023-12-18 CVE-2023-49821 Livechat Cross-Site Request Forgery (CSRF) vulnerability in Livechat

Cross-Site Request Forgery (CSRF) vulnerability in LiveChat LiveChat – WP live chat plugin for WordPress.This issue affects LiveChat – WP live chat plugin for WordPress: from n/a through 4.5.15.

8.8
2023-12-18 CVE-2023-24590 Gallagher Use of Externally-Controlled Format String vulnerability in Gallagher Controller 6000 Firmware

A format string issue in the Controller 6000's optional diagnostic web interface can be used to write/read from memory, and in some instances crash the Controller 6000 leading to a Denial of Service. This issue affects: Gallagher Controller 6000 8.60 prior to vCR8.60.231116a (distributed in 8.60.2550 (MR7)), all versions of 8.50 and prior.

8.8
2023-12-18 CVE-2023-48768 Codeastrology Cross-Site Request Forgery (CSRF) vulnerability in Codeastrology Quantity Plus Minus Button for Woocommerce

Cross-Site Request Forgery (CSRF) vulnerability in CodeAstrology Team Quantity Plus Minus Button for WooCommerce by CodeAstrology.This issue affects Quantity Plus Minus Button for WooCommerce by CodeAstrology: from n/a through 1.1.9.

8.8
2023-12-18 CVE-2023-48769 Bluecoral Cross-Site Request Forgery (CSRF) vulnerability in Bluecoral Chat Bubble

Cross-Site Request Forgery (CSRF) vulnerability in Blue Coral Chat Bubble – Floating Chat with Contact Chat Icons, Messages, Telegram, Email, SMS, Call me back.This issue affects Chat Bubble – Floating Chat with Contact Chat Icons, Messages, Telegram, Email, SMS, Call me back: from n/a through 2.3.

8.8
2023-12-18 CVE-2023-48772 Arulprasadj Cross-Site Request Forgery (CSRF) vulnerability in Arulprasadj Prevent Landscape Rotation

Cross-Site Request Forgery (CSRF) vulnerability in Arul Prasad J Prevent Landscape Rotation.This issue affects Prevent Landscape Rotation: from n/a through 2.0.

8.8
2023-12-18 CVE-2023-48773 Wpdoctor Cross-Site Request Forgery (CSRF) vulnerability in Wpdoctor Woocommerce Login Redirect 2.2.4

Cross-Site Request Forgery (CSRF) vulnerability in WP Doctor WooCommerce Login Redirect.This issue affects WooCommerce Login Redirect: from n/a through 2.2.4.

8.8
2023-12-18 CVE-2023-48778 Villatheme Cross-Site Request Forgery (CSRF) vulnerability in Villatheme Product Size Chart for Woocommerce

Cross-Site Request Forgery (CSRF) vulnerability in VillaTheme Product Size Chart For WooCommerce.This issue affects Product Size Chart For WooCommerce: from n/a through 1.1.5.

8.8
2023-12-18 CVE-2023-48781 Marketingrapel Cross-Site Request Forgery (CSRF) vulnerability in Marketingrapel Mkrapel Regiones Y Ciudades DE Chile Para WC

Cross-Site Request Forgery (CSRF) vulnerability in Marketing Rapel MkRapel Regiones y Ciudades de Chile para WC.This issue affects MkRapel Regiones y Ciudades de Chile para WC: from n/a through 4.3.0.

8.8
2023-12-18 CVE-2023-49148 Affiliatebooster Cross-Site Request Forgery (CSRF) vulnerability in Affiliatebooster Affiliate Booster

Cross-Site Request Forgery (CSRF) vulnerability in Kulwant Nagi Affiliate Booster – Pros & Cons, Notice, and CTA Blocks for Affiliates.This issue affects Affiliate Booster – Pros & Cons, Notice, and CTA Blocks for Affiliates: from n/a through 3.0.5.

8.8
2023-12-18 CVE-2023-4311 Maurice Unrestricted Upload of File with Dangerous Type vulnerability in Maurice Vrm360 1.2.1

The Vrm 360 3D Model Viewer WordPress plugin through 1.2.1 is vulnerable to arbitrary file upload due to insufficient checks in a plugin shortcode.

8.8
2023-12-18 CVE-2023-5882 Soflyy Cross-Site Request Forgery (CSRF) vulnerability in Soflyy products

The Export any WordPress data to XML/CSV WordPress plugin before 1.4.0, WP All Export Pro WordPress plugin before 1.8.6 does not check nonce tokens early enough in the request lifecycle, allowing attackers to make logged in users perform unwanted actions leading to remote code execution.

8.8
2023-12-18 CVE-2023-5886 Soflyy Cross-Site Request Forgery (CSRF) vulnerability in Soflyy products

The Export any WordPress data to XML/CSV WordPress plugin before 1.4.0, WP All Export Pro WordPress plugin before 1.8.6 does not check nonce tokens early enough in the request lifecycle, allowing attackers with the ability to upload files to make logged in users perform unwanted actions leading to PHAR deserialization, which may lead to remote code execution.

8.8
2023-12-18 CVE-2023-46617 Wpfoxly Cross-Site Request Forgery (CSRF) vulnerability in Wpfoxly Adfoxly

Cross-Site Request Forgery (CSRF) vulnerability in AdFoxly AdFoxly – Ad Manager, AdSense Ads & Ads.Txt.This issue affects AdFoxly – Ad Manager, AdSense Ads & Ads.Txt: from n/a through 1.8.5.

8.8
2023-12-18 CVE-2023-48762 Crocoblock Cross-Site Request Forgery (CSRF) vulnerability in Crocoblock Jetelements for Elementor

Cross-Site Request Forgery (CSRF) vulnerability in Crocoblock JetElements For Elementor.This issue affects JetElements For Elementor: from n/a through 2.6.13.

8.8
2023-12-18 CVE-2023-48766 Svgator Cross-Site Request Forgery (CSRF) vulnerability in Svgator

Cross-Site Request Forgery (CSRF) vulnerability in SVGator SVGator – Add Animated SVG Easily.This issue affects SVGator – Add Animated SVG Easily: from n/a through 1.2.4.

8.8
2023-12-18 CVE-2023-33214 Taggbox Cross-Site Request Forgery (CSRF) vulnerability in Taggbox 2.9

Cross-Site Request Forgery (CSRF) vulnerability in Tagbox Tagbox – UGC Galleries, Social Media Widgets, User Reviews & Analytics.This issue affects Tagbox – UGC Galleries, Social Media Widgets, User Reviews & Analytics: from n/a through 3.1.

8.8
2023-12-18 CVE-2023-47787 Automattic Cross-Site Request Forgery (CSRF) vulnerability in Automattic Woocommerce Bookings 1.15.78

Cross-Site Request Forgery (CSRF) vulnerability in WooCommerce WooCommerce Bookings.This issue affects WooCommerce Bookings: from n/a through 2.0.3.

8.8
2023-12-18 CVE-2023-47789 Automattic Cross-Site Request Forgery (CSRF) vulnerability in Automattic Canada Post Shipping Method

Cross-Site Request Forgery (CSRF) vulnerability in WooCommerce Canada Post Shipping Method.This issue affects Canada Post Shipping Method: from n/a through 2.8.3.

8.8
2023-12-18 CVE-2023-47806 Saintsystems Cross-Site Request Forgery (CSRF) vulnerability in Saintsystems Disable User Login

Cross-Site Request Forgery (CSRF) vulnerability in Saint Systems Disable User Login.This issue affects Disable User Login: from n/a through 1.3.7.

8.8
2023-12-18 CVE-2023-48755 Teachpress Project Cross-Site Request Forgery (CSRF) vulnerability in Teachpress Project Teachpress

Cross-Site Request Forgery (CSRF) vulnerability in Michael Winkler teachPress.This issue affects teachPress: from n/a through 9.0.4.

8.8
2023-12-18 CVE-2023-49840 Palscode Cross-Site Request Forgery (CSRF) vulnerability in Palscode Multi Currency for Woocommerce

Cross-Site Request Forgery (CSRF) vulnerability in Palscode Multi Currency For WooCommerce.This issue affects Multi Currency For WooCommerce: from n/a through 1.5.5.

8.8
2023-12-18 CVE-2023-49843 Quanticedge Cross-Site Request Forgery (CSRF) vulnerability in Quanticedge First Order Discount Woocommerce

Cross-Site Request Forgery (CSRF) vulnerability in QuanticEdge First Order Discount Woocommerce.This issue affects First Order Discount Woocommerce: from n/a through 1.21.

8.8
2023-12-18 CVE-2023-49844 Reviewsignal Cross-Site Request Forgery (CSRF) vulnerability in Reviewsignal Wpperformancetester

Cross-Site Request Forgery (CSRF) vulnerability in Kevin Ohashi WPPerformanceTester.This issue affects WPPerformanceTester: from n/a through 2.0.0.

8.8
2023-12-18 CVE-2023-49853 Paytr Cross-Site Request Forgery (CSRF) vulnerability in Paytr Taksit Tablosu - Woocommerce

Cross-Site Request Forgery (CSRF) vulnerability in PayTR Ödeme ve Elektronik Para Kurulu?u A.?.

8.8
2023-12-18 CVE-2023-49854 Madebytribe Cross-Site Request Forgery (CSRF) vulnerability in Madebytribe Caddy

Cross-Site Request Forgery (CSRF) vulnerability in Tribe Interactive Caddy – Smart Side Cart for WooCommerce.This issue affects Caddy – Smart Side Cart for WooCommerce: from n/a through 1.9.7.

8.8
2023-12-18 CVE-2023-49855 Binarycarpenter Cross-Site Request Forgery (CSRF) vulnerability in Binarycarpenter Menu BAR Cart Icon for Woocommerce

Cross-Site Request Forgery (CSRF) vulnerability in BinaryCarpenter Menu Bar Cart Icon For WooCommerce By Binary Carpenter.This issue affects Menu Bar Cart Icon For WooCommerce By Binary Carpenter: from n/a through 1.49.3.

8.8
2023-12-18 CVE-2023-50372 Wpgogo Cross-Site Request Forgery (CSRF) vulnerability in Wpgogo Custom Post Type Page Template

Cross-Site Request Forgery (CSRF) vulnerability in Hiroaki Miyashita Custom Post Type Page Template.This issue affects Custom Post Type Page Template: from n/a through 1.1.

8.8
2023-12-18 CVE-2023-32725 Zabbix Reliance on Cookies without Validation and Integrity Checking vulnerability in Zabbix Frontend and Zabbix Server

The website configured in the URL widget will receive a session cookie when testing or executing scheduled reports.

8.8
2023-12-22 CVE-2023-51661 Wasmer Unspecified vulnerability in Wasmer

Wasmer is a WebAssembly runtime that enables containers to run anywhere: from Desktop to the Cloud, Edge and even the browser.

8.6
2023-12-22 CVE-2023-51708 Bentley Improper Authentication vulnerability in Bentley products

Bentley eB System Management Console applications within Assetwise Integrity Information Server allow an unauthenticated user to view configuration options via a crafted request, leading to information disclosure.

8.6
2023-12-21 CVE-2023-51442 Navidrome Improper Authentication vulnerability in Navidrome

Navidrome is an open source web-based music collection server and streamer.

8.6
2023-12-21 CVE-2023-5594 Eset Improper Certificate Validation vulnerability in Eset products

Improper validation of the server’s certificate chain in secure traffic scanning feature considered intermediate certificate signed using the MD5 or SHA1 algorithm as trusted.

8.6
2023-12-18 CVE-2023-41314 Apache Incorrect Authorization vulnerability in Apache Doris

The api /api/snapshot and /api/get_log_file would allow unauthenticated access. It could allow a DoS attack or get arbitrary files from FE node. Please upgrade to 2.0.3 to fix these issues.

8.2
2023-12-21 CVE-2023-2585 Redhat Unspecified vulnerability in Redhat products

Keycloak's device authorization grant does not correctly validate the device code and client ID.

8.1
2023-12-20 CVE-2023-26525 Wedevs SQL Injection vulnerability in Wedevs Dokan

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in weDevs Dokan – Best WooCommerce Multivendor Marketplace Solution – Build Your Own Amazon, eBay, Etsy.This issue affects Dokan – Best WooCommerce Multivendor Marketplace Solution – Build Your Own Amazon, eBay, Etsy: from n/a through 3.7.12.

8.1
2023-12-20 CVE-2023-30495 Themefic SQL Injection vulnerability in Themefic Ultimate Addons for Contact Form 7

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Themefic Ultimate Addons for Contact Form 7.This issue affects Ultimate Addons for Contact Form 7: from n/a through 3.1.23.

8.1
2023-12-20 CVE-2023-30750 Cminds SQL Injection vulnerability in Cminds CM Popup 1.5.10/1.5.8/1.5.9

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in CreativeMindsSolutions CM Popup Plugin for WordPress.This issue affects CM Popup Plugin for WordPress: from n/a through 1.5.10.

8.1
2023-12-20 CVE-2023-31092 Foxskav SQL Injection vulnerability in Foxskav Easy BET

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Foxskav Easy Bet.This issue affects Easy Bet: from n/a through 1.0.2.

8.1
2023-12-20 CVE-2023-33209 Crawlspider SQL Injection vulnerability in Crawlspider SEO Change Monitor

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in CrawlSpider SEO Change Monitor – Track Website Changes.This issue affects SEO Change Monitor – Track Website Changes: from n/a through 1.2.

8.1
2023-12-20 CVE-2023-33330 Woocommerce SQL Injection vulnerability in Woocommerce Automatewoo

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WooCommerce AutomateWoo.This issue affects AutomateWoo: from n/a through 4.9.50.

8.1
2023-12-20 CVE-2023-49825 Pencidesign SQL Injection vulnerability in Pencidesign Soledad

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in PenciDesign Soledad – Multipurpose, Newspaper, Blog & WooCommerce WordPress Theme.This issue affects Soledad – Multipurpose, Newspaper, Blog & WooCommerce WordPress Theme: from n/a through 8.4.1.

8.1
2023-12-20 CVE-2023-35876 Automattic Authorization Bypass Through User-Controlled Key vulnerability in Automattic Woocommerce Square

Authorization Bypass Through User-Controlled Key vulnerability in WooCommerce WooCommerce Square.This issue affects WooCommerce Square: from n/a through 3.8.1.

8.1
2023-12-20 CVE-2023-36520 Zackgrossbart Authorization Bypass Through User-Controlled Key vulnerability in Zackgrossbart Editorial Calendar

Authorization Bypass Through User-Controlled Key vulnerability in MarketingFire Editorial Calendar.This issue affects Editorial Calendar: from n/a through 3.7.12.

8.1
2023-12-19 CVE-2023-6913 Imoulife Session Fixation vulnerability in Imoulife Imou Life 6.7.0

A session hijacking vulnerability has been detected in the Imou Life application affecting version 6.7.0.

8.1
2023-12-18 CVE-2023-23570 Gallagher Unspecified vulnerability in Gallagher Command Centre

Client-Side enforcement of Server-Side security for the Command Centre server could be bypassed and lead to invalid configuration with undefined behavior.

8.1
2023-12-18 CVE-2023-32726 Zabbix Improper Check for Unusual or Exceptional Conditions vulnerability in Zabbix Zabbix-Agent

The vulnerability is caused by improper check for check if RDLENGTH does not overflow the buffer in response from DNS server.

8.1
2023-12-24 CVE-2023-7101 Jmcnamara
Debian
Fedoraproject
Code Injection vulnerability in multiple products

Spreadsheet::ParseExcel version 0.65 is a Perl module used for parsing Excel files.

7.8
2023-12-22 CVE-2023-50254 Deepin Path Traversal vulnerability in Deepin Reader

Deepin Linux's default document reader `deepin-reader` software suffers from a serious vulnerability in versions prior to 6.0.7 due to a design flaw that leads to remote command execution via crafted docx document.

7.8
2023-12-22 CVE-2023-48670 Dell Untrusted Search Path vulnerability in Dell Supportassist for Home PCS 3.14.2.45116

Dell SupportAssist for Home PCs version 3.14.1 and prior versions contain a privilege escalation vulnerability in the installer.

7.8
2023-12-22 CVE-2023-43116 Buildkite Link Following vulnerability in Buildkite Elastic CI Stack

A symbolic link following vulnerability in Buildkite Elastic CI for AWS versions prior to 6.7.1 and 5.22.5 allows the buildkite-agent user to change ownership of arbitrary directories via the PIPELINE_PATH variable in the fix-buildkite-agent-builds-permissions script.

7.8
2023-12-21 CVE-2023-7025 Kylinos Unspecified vulnerability in Kylinos Hedron-Domain-Hook

A vulnerability was found in KylinSoft hedron-domain-hook up to 3.8.0.12-0k0.5.

7.8
2023-12-20 CVE-2023-7018 Huggingface Deserialization of Untrusted Data vulnerability in Huggingface Transformers

Deserialization of Untrusted Data in GitHub repository huggingface/transformers prior to 4.36.

7.8
2023-12-19 CVE-2023-49147 Pdf24 Unspecified vulnerability in Pdf24 Creator

An issue was discovered in PDF24 Creator 11.14.0.

7.8
2023-12-19 CVE-2023-6314 Panasonic Out-of-bounds Write vulnerability in Panasonic Fpwin PRO 7.5.0.1/7.5.1.1

Stack-based buffer overflow in FPWin Pro version 7.7.0.0 and all previous versions may allow attackers to execute arbitrary code via a specially crafted project file.

7.8
2023-12-19 CVE-2023-6315 Panasonic Out-of-bounds Read vulnerability in Panasonic Fpwin PRO 7.5.0.1/7.5.1.1

Out-of-bouds read vulnerability in FPWin Pro version 7.7.0.0 and all previous versions may allow attackers to execute arbitrary code via a specially crafted project file.

7.8
2023-12-18 CVE-2023-6691 Cambiumnetworks Code Injection vulnerability in Cambiumnetworks Epmp Force 300-25 Firmware 4.7.0.1

Cambium ePMP Force 300-25 version 4.7.0.1 is vulnerable to a code injection vulnerability that could allow an attacker to perform remote code execution and gain root privileges.

7.8
2023-12-18 CVE-2023-6817 Linux Use After Free vulnerability in Linux Kernel

A use-after-free vulnerability in the Linux kernel's netfilter: nf_tables component can be exploited to achieve local privilege escalation. The function nft_pipapo_walk did not skip inactive elements during set walk which could lead double deactivations of PIPAPO (Pile Packet Policies) elements, leading to use-after-free. We recommend upgrading past commit 317eb9685095678f2c9f5a8189de698c5354316a.

7.8
2023-12-18 CVE-2023-47038 Perl Out-of-bounds Write vulnerability in Perl 5.34.0

A vulnerability was found in perl.

7.8
2023-12-23 CVE-2016-15036 Deis Race Condition vulnerability in Deis Workflow Manager

** UNSUPPORTED WHEN ASSIGNED ** A vulnerability was found in Deis Workflow Manager up to 2.3.2.

7.5
2023-12-22 CVE-2023-50730 Typelevel Allocation of Resources Without Limits or Throttling vulnerability in Typelevel Grackle

Grackle is a GraphQL server written in functional Scala, built on the Typelevel stack.

7.5
2023-12-22 CVE-2023-51449 Gradio Project Path Traversal vulnerability in Gradio Project Gradio

Gradio is an open-source Python package that allows you to quickly build a demo or web application for your machine learning model, API, or any arbitary Python function.

7.5
2023-12-22 CVE-2023-51650 Dromara Missing Authorization vulnerability in Dromara Hertzbeat

Hertzbeat is an open source, real-time monitoring system.

7.5
2023-12-22 CVE-2023-51662 Snowflake Improper Certificate Validation vulnerability in Snowflake Connector

The Snowflake .NET driver provides an interface to the Microsoft .NET open source software framework for developing applications.

7.5
2023-12-22 CVE-2023-48704 Clickhouse Out-of-bounds Write vulnerability in Clickhouse and Clickhouse Cloud

ClickHouse is an open-source column-oriented database management system that allows generating analytical data reports in real-time.

7.5
2023-12-22 CVE-2022-39337 Dromara Incorrect Authorization vulnerability in Dromara Hertzbeat

Hertzbeat is an open source, real-time monitoring system with custom-monitoring, high performance cluster, prometheus-like and agentless.

7.5
2023-12-22 CVE-2023-49391 Free5Gc Unspecified vulnerability in Free5Gc 3.3.0

An issue was discovered in free5GC version 3.3.0, allows remote attackers to execute arbitrary code and cause a denial of service (DoS) on AMF component via crafted NGAP message.

7.5
2023-12-22 CVE-2023-49356 Glensawyer Out-of-bounds Write vulnerability in Glensawyer Mp3Gain 1.6.2

A stack buffer overflow vulnerability in MP3Gain v1.6.2 allows an attacker to cause a denial of service via the WriteMP3GainAPETag function at apetag.c:592.

7.5
2023-12-22 CVE-2023-24609 Matrixssl
Rambus
Integer Overflow or Wraparound vulnerability in multiple products

Matrix SSL 4.x through 4.6.0 and Rambus TLS Toolkit have a length-subtraction integer overflow for Client Hello Pre-Shared Key extension parsing in the TLS 1.3 server.

7.5
2023-12-22 CVE-2023-51713 Proftpd Out-of-bounds Read vulnerability in Proftpd

make_ftp_cmd in main.c in ProFTPD before 1.3.8a has a one-byte out-of-bounds read, and daemon crash, because of mishandling of quote/backslash semantics.

7.5
2023-12-21 CVE-2023-48298 Clickhouse Integer Underflow (Wrap or Wraparound) vulnerability in Clickhouse and Clickhouse Cloud

ClickHouse® is an open-source column-oriented database management system that allows generating analytical data reports in real-time.

7.5
2023-12-21 CVE-2023-41097 Silabs Information Exposure Through Discrepancy vulnerability in Silabs Gecko Software Development KIT

An Observable Timing Discrepancy, Covert Timing Channel vulnerability in Silabs GSDK on ARM potentially allows Padding Oracle Crypto Attack on CBC PKCS7.This issue affects GSDK: through 4.4.0.

7.5
2023-12-21 CVE-2023-46648 Github Insufficient Entropy vulnerability in Github Enterprise Server

An insufficient entropy vulnerability was identified in GitHub Enterprise Server (GHES) that allowed an attacker to brute force a user invitation to the GHES Management Console.

7.5
2023-12-21 CVE-2023-6847 Github Improper Authentication vulnerability in Github Enterprise Server

An improper authentication vulnerability was identified in GitHub Enterprise Server that allowed a bypass of Private Mode by using a specially crafted API request.

7.5
2023-12-21 CVE-2023-32747 Automattic Authorization Bypass Through User-Controlled Key vulnerability in Automattic Woocommerce Bookings 1.15.78

Authorization Bypass Through User-Controlled Key vulnerability in WooCommerce WooCommerce Bookings.This issue affects WooCommerce Bookings: from n/a through 1.15.78.

7.5
2023-12-21 CVE-2023-28421 Winwar Information Exposure vulnerability in Winwar WP Email Capture

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Winwar Media WordPress Email Marketing Plugin – WP Email Capture.This issue affects WordPress Email Marketing Plugin – WP Email Capture: from n/a through 3.10.

7.5
2023-12-21 CVE-2023-2487 Smackcoders Information Exposure vulnerability in Smackcoders Export ALL Posts, Products, Orders, Refunds & Users

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Smackcoders Export All Posts, Products, Orders, Refunds & Users.This issue affects Export All Posts, Products, Orders, Refunds & Users: from n/a through 2.4.1.

7.5
2023-12-21 CVE-2023-48288 Hmplugin Information Exposure vulnerability in Hmplugin Jobwp

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in HM Plugin WordPress Job Board and Recruitment Plugin – JobWP.This issue affects WordPress Job Board and Recruitment Plugin – JobWP: from n/a through 2.1.

7.5
2023-12-21 CVE-2023-49162 Bigcommerce Information Exposure vulnerability in Bigcommerce

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in BigCommerce BigCommerce For WordPress.This issue affects BigCommerce For WordPress: from n/a through 5.0.6.

7.5
2023-12-21 CVE-2023-49762 Appmysite Information Exposure vulnerability in Appmysite

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in AppMySite AppMySite – Create an app with the Best Mobile App Builder.This issue affects AppMySite – Create an app with the Best Mobile App Builder: from n/a through 3.11.0.

7.5
2023-12-21 CVE-2023-50481 Blinksocks Use of a Broken or Risky Cryptographic Algorithm vulnerability in Blinksocks 3.3.8

An issue was discovered in blinksocks version 3.3.8, allows remote attackers to obtain sensitive information via weak encryption algorithms in the component /presets/ssr-auth-chain.js.

7.5
2023-12-21 CVE-2023-45703 Hcltechsw Unspecified vulnerability in Hcltechsw HCL Launch

HCL Launch may mishandle input validation of an uploaded archive file leading to a denial of service due to resource exhaustion.

7.5
2023-12-21 CVE-2023-46131 Grails Unspecified vulnerability in Grails

Grails is a framework used to build web applications with the Groovy programming language.

7.5
2023-12-21 CVE-2023-51390 Aiven Cleartext Transmission of Sensitive Information vulnerability in Aiven Journalpump

journalpump is a daemon that takes log messages from journald and pumps them to a given output.

7.5
2023-12-20 CVE-2022-47597 Code Atlantic Unspecified vulnerability in Code-Atlantic Popup Maker

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Popup Maker Popup Maker – Popup for opt-ins, lead gen, & more.This issue affects Popup Maker – Popup for opt-ins, lead gen, & more: from n/a through 1.17.1.

7.5
2023-12-20 CVE-2023-35914 Automattic Authorization Bypass Through User-Controlled Key vulnerability in Automattic Woocommerce Subscriptions

Authorization Bypass Through User-Controlled Key vulnerability in WooCommerce Woo Subscriptions.This issue affects Woo Subscriptions: from n/a through 5.1.2.

7.5
2023-12-20 CVE-2023-35916 Automattic Authorization Bypass Through User-Controlled Key vulnerability in Automattic Woopayments

Authorization Bypass Through User-Controlled Key vulnerability in Automattic WooPayments – Fully Integrated Solution Built and Supported by Woo.This issue affects WooPayments – Fully Integrated Solution Built and Supported by Woo: from n/a through 5.9.0.

7.5
2023-12-20 CVE-2023-32590 Subscribe TO Category Project SQL Injection vulnerability in Subscribe to Category Project Subscribe to Category

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Daniel Söderström / Sidney van de Stouwe Subscribe to Category.This issue affects Subscribe to Category: from n/a through 2.7.4.

7.5
2023-12-20 CVE-2023-37871 Automattic Authorization Bypass Through User-Controlled Key vulnerability in Automattic Woocommerce Gocardless

Authorization Bypass Through User-Controlled Key vulnerability in WooCommerce GoCardless.This issue affects GoCardless: from n/a through 2.5.6.

7.5
2023-12-20 CVE-2023-50249 Sentry Unspecified vulnerability in Sentry Astro

Sentry-Javascript is official Sentry SDKs for JavaScript.

7.5
2023-12-20 CVE-2023-6562 Kakadusoftware Unrestricted Upload of File with Dangerous Type vulnerability in Kakadusoftware Kakadu SDK

JPX Fragment List (flst) box vulnerability in Kakadu 7.9 allows an attacker to exfiltrate local and remote files reachable by a server if the server allows the attacker to upload a specially-crafted the image that is displayed back to the attacker.

7.5
2023-12-20 CVE-2023-37544 Apache Improper Authentication vulnerability in Apache Pulsar

Improper Authentication vulnerability in Apache Pulsar WebSocket Proxy allows an attacker to connect to the /pingpong endpoint without authentication. This issue affects Apache Pulsar WebSocket Proxy: from 2.8.0 through 2.8.*, from 2.9.0 through 2.9.*, from 2.10.0 through 2.10.4, from 2.11.0 through 2.11.1, 3.0.0. The known risks include a denial of service due to the WebSocket Proxy accepting any connections, and excessive data transfer due to misuse of the WebSocket ping/pong feature. 2.10 Pulsar WebSocket Proxy users should upgrade to at least 2.10.5. 2.11 Pulsar WebSocket Proxy users should upgrade to at least 2.11.2. 3.0 Pulsar WebSocket Proxy users should upgrade to at least 3.0.1. 3.1 Pulsar WebSocket Proxy users are unaffected. Any users running the Pulsar WebSocket Proxy for 2.8, 2.9, and earlier should upgrade to one of the above patched versions.

7.5
2023-12-20 CVE-2023-6977 Lfprojects Path Traversal: '..filename' vulnerability in Lfprojects Mlflow

This vulnerability enables malicious users to read sensitive files on the server.

7.5
2023-12-20 CVE-2023-47704 IBM Use of Hard-coded Credentials vulnerability in IBM Security Guardium KEY Lifecycle Manager 4.2.0

IBM Security Guardium Key Lifecycle Manager 4.3 contains plain text hard-coded credentials or other secrets in source code repository.

7.5
2023-12-20 CVE-2023-50707 Efacec Resource Exhaustion vulnerability in Efacec BCU 500 Firmware 4.07

Through the exploitation of active user sessions, an attacker could send custom requests to cause a denial-of-service condition on the device.

7.5
2023-12-19 CVE-2023-49812 Wppa Authorization Bypass Through User-Controlled Key vulnerability in Wppa WP Photo Album Plus

Authorization Bypass Through User-Controlled Key vulnerability in J.N.

7.5
2023-12-19 CVE-2023-44983 Aruba Unspecified vulnerability in Aruba Hispeed Cache

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Aruba.It Aruba HiSpeed Cache.This issue affects Aruba HiSpeed Cache: from n/a through 2.0.6.

7.5
2023-12-19 CVE-2023-44991 Meowapps Unspecified vulnerability in Meowapps Media File Renamer - Auto & Manual Rename

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Jordy Meow Media File Renamer: Rename Files (Manual, Auto & AI).This issue affects Media File Renamer: Rename Files (Manual, Auto & AI): from n/a through 5.6.9.

7.5
2023-12-19 CVE-2023-46262 Ivanti Server-Side Request Forgery (SSRF) vulnerability in Ivanti Avalanche 6.3.2

An unauthenticated attacked could send a specifically crafted web request causing a Server-Side Request Forgery (SSRF) in Ivanti Avalanche Remote Control server.

7.5
2023-12-19 CVE-2023-46803 Ivanti Out-of-bounds Write vulnerability in Ivanti Avalanche

An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corruption which could result to a Denial of Service (DoS).

7.5
2023-12-19 CVE-2023-46804 Ivanti Out-of-bounds Write vulnerability in Ivanti Avalanche

An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corruption which could result to a Denial of Service (DoS).

7.5
2023-12-19 CVE-2023-1514 Hitachienergy Improper Certificate Validation vulnerability in Hitachienergy Rtu500 Scripting Interface 1.0.1.30/1.0.2/1.1.1

A vulnerability exists in the component RTU500 Scripting interface.

7.5
2023-12-19 CVE-2023-6280 52North XXE vulnerability in 52North WPS

An XXE (XML External Entity) vulnerability has been detected in 52North WPS affecting versions prior to 4.0.0-beta.11.

7.5
2023-12-19 CVE-2023-6711 Hitachienergy Classic Buffer Overflow vulnerability in Hitachienergy Rtu500 Firmware

Vulnerability exists in SCI IEC 60870-5-104 and HCI IEC 60870-5-104 that affects the RTU500 series product versions listed below.

7.5
2023-12-19 CVE-2023-44982 Meowapps Unspecified vulnerability in Meowapps Perfect Images

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Jordy Meow Perfect Images (Manage Image Sizes, Thumbnails, Replace, Retina).This issue affects Perfect Images (Manage Image Sizes, Thumbnails, Replace, Retina): from n/a through 6.4.5.

7.5
2023-12-18 CVE-2023-5949 Wpmudev Missing Authorization vulnerability in Wpmudev Smartcrawl

The SmartCrawl WordPress plugin before 3.8.3 does not prevent unauthorised users from accessing password-protected posts' content.

7.5
2023-12-18 CVE-2023-6203 TRI Unspecified vulnerability in TRI the Events Calendar

The Events Calendar WordPress plugin before 6.2.8.1 discloses the content of password protected posts to unauthenticated users via a crafted request

7.5
2023-12-18 CVE-2023-46177 IBM Path Traversal vulnerability in IBM MQ Appliance 9.3.0.0

IBM MQ Appliance 9.3 LTS and 9.3 CD could allow a remote attacker to traverse directories on the system.

7.5
2023-12-18 CVE-2023-3430 Openimageio Out-of-bounds Write vulnerability in Openimageio 2.4.11

A vulnerability was found in OpenImageIO, where a heap buffer overflow exists in the src/gif.imageio/gifinput.cpp file.

7.5
2023-12-18 CVE-2023-4320 Redhat Insufficient Session Expiration vulnerability in Redhat Satellite

An arithmetic overflow flaw was found in Satellite when creating a new personal access token.

7.5
2023-12-18 CVE-2023-32230 Bosch Unspecified vulnerability in Bosch products

An improper handling of a malformed API request to an API server in Bosch BT software products can allow an unauthenticated attacker to cause a Denial of Service (DoS) situation.

7.5
2023-12-18 CVE-2023-50980 Cryptopp Unspecified vulnerability in Cryptopp Crypto++

gf2n.cpp in Crypto++ (aka cryptopp) through 8.9.0 allows attackers to cause a denial of service (application crash) via DER public-key data for an F(2^m) curve, if the degree of each term in the polynomial is not strictly decreasing.

7.5
2023-12-18 CVE-2023-50981 Cryptopp Infinite Loop vulnerability in Cryptopp Crypto++

ModularSquareRoot in Crypto++ (aka cryptopp) through 8.9.0 allows attackers to cause a denial of service (infinite loop) via crafted DER public-key data associated with squared odd numbers, such as the square of 268995137513890432434389773128616504853.

7.5
2023-12-18 CVE-2023-6909 Lfprojects Path Traversal: '..filename' vulnerability in Lfprojects Mlflow

Path Traversal: '\..\filename' in GitHub repository mlflow/mlflow prior to 2.9.2.

7.5
2023-12-23 CVE-2023-7002 Backupbliss OS Command Injection vulnerability in Backupbliss Backup Migration

The Backup Migration plugin for WordPress is vulnerable to OS Command Injection in all versions up to, and including, 1.3.9 via the 'url' parameter.

7.2
2023-12-20 CVE-2023-28170 Themely Unrestricted Upload of File with Dangerous Type vulnerability in Themely Theme Demo Import

Unrestricted Upload of File with Dangerous Type vulnerability in Themely Theme Demo Import.This issue affects Theme Demo Import: from n/a through 1.1.1.

7.2
2023-12-20 CVE-2023-29102 Olivethemes Unrestricted Upload of File with Dangerous Type vulnerability in Olivethemes Olive ONE Click Demo Import 1.1.1

Unrestricted Upload of File with Dangerous Type vulnerability in Olive Themes Olive One Click Demo Import.This issue affects Olive One Click Demo Import: from n/a through 1.1.1.

7.2
2023-12-20 CVE-2023-40204 Premio Unrestricted Upload of File with Dangerous Type vulnerability in Premio Folders

Unrestricted Upload of File with Dangerous Type vulnerability in Premio Folders – Unlimited Folders to Organize Media Library Folder, Pages, Posts, File Manager.This issue affects Folders – Unlimited Folders to Organize Media Library Folder, Pages, Posts, File Manager: from n/a through 2.9.2.

7.2
2023-12-20 CVE-2023-49814 Symbiostock Unrestricted Upload of File with Dangerous Type vulnerability in Symbiostock

Unrestricted Upload of File with Dangerous Type vulnerability in Symbiostock symbiostock.This issue affects Symbiostock: from n/a through 6.0.0.

7.2
2023-12-20 CVE-2022-47599 Bitapps Deserialization of Untrusted Data vulnerability in Bitapps File Manager

Deserialization of Untrusted Data vulnerability in File Manager by Bit Form Team File Manager – 100% Free & Open Source File Manager Plugin for WordPress | Bit File Manager.This issue affects File Manager – 100% Free & Open Source File Manager Plugin for WordPress | Bit File Manager: from n/a through 5.2.7.

7.2
2023-12-20 CVE-2023-28491 Tribulant SQL Injection vulnerability in Tribulant Slideshow Gallery

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Tribulant Slideshow Gallery LITE.This issue affects Slideshow Gallery LITE: from n/a through 1.7.6.

7.2
2023-12-20 CVE-2023-32128 Adastracrypto SQL Injection vulnerability in Adastracrypto Cryptocurrency Payment & Donation BOX

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Adastra Crypto Cryptocurrency Payment & Donation Box – Accept Payments in any Cryptocurrency on your WP Site for Free.This issue affects Cryptocurrency Payment & Donation Box – Accept Payments in any Cryptocurrency on your WP Site for Free: from n/a through 2.2.7.

7.2
2023-12-20 CVE-2023-47852 Linkwhisper SQL Injection vulnerability in Linkwhisper Link Whisper Free

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Link Whisper Link Whisper Free.This issue affects Link Whisper Free: from n/a through 0.6.5.

7.2
2023-12-19 CVE-2023-38126 Softing Path Traversal vulnerability in Softing Edgeaggregator 3.4.0

Softing edgeAggregator Restore Configuration Directory Traversal Remote Code Execution Vulnerability.

7.2
2023-12-19 CVE-2023-48327 Wcvendors SQL Injection vulnerability in Wcvendors Woocommerce Multi-Vendor, Woocommerce Marketplace, Product Vendors 2.4.7

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WC Vendors WC Vendors – WooCommerce Multi-Vendor, WooCommerce Marketplace, Product Vendors.This issue affects WC Vendors – WooCommerce Multi-Vendor, WooCommerce Marketplace, Product Vendors: from n/a through 2.4.7.

7.2
2023-12-19 CVE-2023-48741 Quantumcloud SQL Injection vulnerability in Quantumcloud AI Chatbot

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in QuantumCloud AI ChatBot.This issue affects AI ChatBot: from n/a through 4.7.8.

7.2
2023-12-19 CVE-2023-48764 Guardgiant SQL Injection vulnerability in Guardgiant

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in GuardGiant Brute Force Protection WordPress Brute Force Protection – Stop Brute Force Attacks.This issue affects WordPress Brute Force Protection – Stop Brute Force Attacks: from n/a through 2.2.5.

7.2
2023-12-19 CVE-2023-49764 Sigmaplugin SQL Injection vulnerability in Sigmaplugin Advanced Database Cleaner 3.1.2

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Younes JFR.

7.2
2023-12-19 CVE-2023-46154 E2Pdf Deserialization of Untrusted Data vulnerability in E2Pdf

Deserialization of Untrusted Data vulnerability in E2Pdf.Com E2Pdf – Export To Pdf Tool for WordPress.This issue affects E2Pdf – Export To Pdf Tool for WordPress: from n/a through 1.20.18.

7.2
2023-12-18 CVE-2023-33331 WOO SQL Injection vulnerability in WOO Product Vendors

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WooCommerce Product Vendors allows SQL Injection.This issue affects Product Vendors: from n/a through 2.1.76.

7.2
2023-12-18 CVE-2023-47530 Wpvibes SQL Injection vulnerability in Wpvibes Redirect 404 Error Page to Homepage or Custom Page With Logs

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WPVibes Redirect 404 Error Page to Homepage or Custom Page with Logs allows SQL Injection.This issue affects Redirect 404 Error Page to Homepage or Custom Page with Logs: from n/a through 1.8.7.

7.2
2023-12-18 CVE-2023-4724 Soflyy Unspecified vulnerability in Soflyy products

The Export any WordPress data to XML/CSV WordPress plugin before 1.4.0, WP All Export Pro WordPress plugin before 1.8.6 does not validate and sanitise the `wp_query` parameter which allows an attacker to run arbitrary command on the remote server

7.2
2023-12-18 CVE-2023-6222 Quttera Path Traversal vulnerability in Quttera web Malware Scanner

IThe Quttera Web Malware Scanner WordPress plugin before 3.4.2.1 does not validate user input used in a path, which could allow users with an admin role to perform path traversal attacks

7.2
2023-12-18 CVE-2023-6295 Siteorigin Unspecified vulnerability in Siteorigin Widgets Bundle

The SiteOrigin Widgets Bundle WordPress plugin before 1.51.0 does not validate user input before using it to generate paths passed to include function/s, allowing users with the administrator role to perform LFI attacks in the context of Multisite WordPress sites.

7.2
2023-12-18 CVE-2023-39509 Bosch Command Injection vulnerability in Bosch Cpp13 Firmware and Cpp14 Firmware

A command injection vulnerability exists in Bosch IP cameras that allows an authenticated user with administrative rights to run arbitrary commands on the OS of the camera.

7.2
2023-12-18 CVE-2023-32727 Zabbix Improper Input Validation vulnerability in Zabbix Server 7.0.0

An attacker who has the privilege to configure Zabbix items can use function icmpping() with additional malicious command inside it to execute arbitrary code on the current Zabbix server.

7.2
2023-12-18 CVE-2023-46686 Gallagher Unspecified vulnerability in Gallagher Command Centre 9.00/9.00.1507

A reliance on untrusted inputs in a security decision could be exploited by a privileged user to configure the Gallagher Command Centre Diagnostics Service to use less secure communication protocols.

7.1
2023-12-24 CVE-2023-51767 Openbsd
Fedoraproject
Redhat
OpenSSH through 9.6, when common types of DRAM are used, might allow row hammer attacks (for authentication bypass) because the integer value of authenticated in mm_answer_authpassword does not resist flips of a single bit.
7.0
2023-12-22 CVE-2023-42465 Sudo Project Unspecified vulnerability in Sudo Project Sudo

Sudo before 1.9.15 might allow row hammer attacks (for authentication bypass or privilege escalation) because application logic sometimes is based on not equaling an error value (instead of equaling a success value), and because the values do not resist flips of a single bit.

7.0
2023-12-22 CVE-2023-43741 Buildkite Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in Buildkite Elastic CI Stack

A time-of-check-time-of-use race condition vulnerability in Buildkite Elastic CI for AWS versions prior to 6.7.1 and 5.22.5 allows the buildkite-agent user to bypass a symbolic link check for the PIPELINE_PATH variable in the fix-buildkite-agent-builds-permissions script.

7.0
2023-12-21 CVE-2023-46649 Github Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in Github Enterprise Server

A race condition in GitHub Enterprise Server was identified that could allow an attacker administrator access.

7.0
2023-12-21 CVE-2023-6546 Linux
Fedoraproject
Redhat
Race Condition vulnerability in multiple products

A race condition was found in the GSM 0710 tty multiplexor in the Linux kernel.

7.0
2023-12-19 CVE-2023-6931 Linux
Debian
Out-of-bounds Write vulnerability in multiple products

A heap out-of-bounds write vulnerability in the Linux kernel's Performance Events system component can be exploited to achieve local privilege escalation. A perf_event's read_size can overflow, leading to an heap out-of-bounds increment or write in perf_read_group(). We recommend upgrading past commit 382c27f4ed28f803b1f1473ac2d8db0afc795a1b.

7.0
2023-12-19 CVE-2023-6932 Linux Use After Free vulnerability in Linux Kernel

A use-after-free vulnerability in the Linux kernel's ipv4: igmp component can be exploited to achieve local privilege escalation. A race condition can be exploited to cause a timer be mistakenly registered on a RCU read locked object which is freed by another thread. We recommend upgrading past commit e2b706c691905fe78468c361aaabc719d0a496f1.

7.0

203 Medium Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2023-12-22 CVE-2023-43088 Dell Unspecified vulnerability in Dell Precision 7865 Tower Firmware

Dell Client BIOS contains a pre-boot direct memory access (DMA) vulnerability.

6.8
2023-12-20 CVE-2023-3742 Google Unspecified vulnerability in Google Chrome

Insufficient policy enforcement in ADB in Google Chrome on ChromeOS prior to 114.0.5735.90 allowed a local attacker to bypass device policy restrictions via physical access to the device.

6.8
2023-12-20 CVE-2023-0011 U Blox OS Command Injection vulnerability in U-Blox products

A flaw in the input validation in TOBY-L2 allows a user to execute arbitrary operating system commands using specifically crafted AT commands.

6.8
2023-12-19 CVE-2023-49706 Linotp Race Condition vulnerability in Linotp and Virtual Appliance

Defective request context handling in Self Service in LinOTP 3.x before 3.2.5 allows remote unauthenticated attackers to escalate privileges, thereby allowing them to act as and with the permissions of another user.

6.8
2023-12-18 CVE-2023-6355 Gallagher Incorrect Authorization vulnerability in Gallagher Controller 7000 Firmware

Incorrect selection of fuse values in the Controller 7000 platform allows an attacker to bypass some protection mechanisms to enable local debug.

6.8
2023-12-22 CVE-2023-39251 Dell Unspecified vulnerability in Dell products

Dell BIOS contains an Improper Input Validation vulnerability.

6.7
2023-12-23 CVE-2023-49594 Michaelkelly Unspecified vulnerability in Michaelkelly Duouniversalkeycloakauthenticator

An information disclosure vulnerability exists in the challenge functionality of instipod DuoUniversalKeycloakAuthenticator 1.0.7 plugin.

6.5
2023-12-23 CVE-2023-5962 Moxa Use of a Broken or Risky Cryptographic Algorithm vulnerability in Moxa products

A weak cryptographic algorithm vulnerability has been identified in ioLogik E1200 Series firmware versions v3.3 and prior.

6.5
2023-12-22 CVE-2023-48308 Nextcloud Improper Cross-boundary Removal of Sensitive Data vulnerability in Nextcloud Calendar

Nextcloud/Cloud is a calendar app for Nextcloud.

6.5
2023-12-21 CVE-2023-6802 Github Information Exposure Through Log Files vulnerability in Github Enterprise Server

An insertion of sensitive information into the log file in the audit log in GitHub Enterprise Server was identified that could allow an attacker to gain access to the management console.

6.5
2023-12-21 CVE-2023-7040 Codelyfe Path Traversal: '../filedir' vulnerability in Codelyfe Stupid Simple CMS

A vulnerability classified as problematic was found in codelyfe Stupid Simple CMS up to 1.2.4.

6.5
2023-12-21 CVE-2023-32799 Woocommerce Authorization Bypass Through User-Controlled Key vulnerability in Woocommerce Shipping multiple Addresses

Authorization Bypass Through User-Controlled Key vulnerability in WooCommerce Shipping Multiple Addresses.This issue affects Shipping Multiple Addresses: from n/a through 3.8.3.

6.5
2023-12-21 CVE-2023-47191 Kainelabs Authorization Bypass Through User-Controlled Key vulnerability in Kainelabs Youzify

Authorization Bypass Through User-Controlled Key vulnerability in KaineLabs Youzify – BuddyPress Community, User Profile, Social Network & Membership Plugin for WordPress.This issue affects Youzify – BuddyPress Community, User Profile, Social Network & Membership Plugin for WordPress: from n/a through 1.2.2.

6.5
2023-12-21 CVE-2023-49765 Blazzdev Authorization Bypass Through User-Controlled Key vulnerability in Blazzdev Rate MY Post

Authorization Bypass Through User-Controlled Key vulnerability in Blaz K.

6.5
2023-12-21 CVE-2023-7038 Automad Cross-Site Request Forgery (CSRF) vulnerability in Automad

A vulnerability was found in automad up to 1.10.9.

6.5
2023-12-21 CVE-2023-40058 Solarwinds Unspecified vulnerability in Solarwinds Access Rights Manager

Sensitive data was added to our public-facing knowledgebase that, if exploited, could be used to access components of Access Rights Manager (ARM) if the threat actor is in the same environment.

6.5
2023-12-21 CVE-2023-49920 Apache Cross-Site Request Forgery (CSRF) vulnerability in Apache Airflow

Apache Airflow, version 2.7.0 through 2.7.3, has a vulnerability that allows an attacker to trigger a DAG in a GET request without CSRF validation. As a result, it was possible for a malicious website opened in the same browser - by the user who also had Airflow UI opened - to trigger the execution of DAGs without the user's consent. Users are advised to upgrade to version 2.8.0 or later which is not affected

6.5
2023-12-21 CVE-2023-50783 Apache Improper Access Control vulnerability in Apache Airflow

Apache Airflow, versions before 2.8.0, is affected by a vulnerability that allows an authenticated user without the variable edit permission, to update a variable. This flaw compromises the integrity of variable management, potentially leading to unauthorized data modification. Users are recommended to upgrade to 2.8.0, which fixes this issue

6.5
2023-12-21 CVE-2023-7026 Lightxun Unrestricted Upload of File with Dangerous Type vulnerability in Lightxun Iptv Gateway

A vulnerability was found in Lightxun IPTV Gateway up to 20231208.

6.5
2023-12-21 CVE-2023-47093 Stormshield Unspecified vulnerability in Stormshield Network Security

An issue was discovered in Stormshield Network Security (SNS) 4.0.0 through 4.3.21, 4.4.0 through 4.6.8, and 4.7.0.

6.5
2023-12-20 CVE-2022-44684 Microsoft Unspecified vulnerability in Microsoft products

Windows Local Session Manager (LSM) Denial of Service Vulnerability

6.5
2023-12-20 CVE-2023-31231 Unlimited Elements Unrestricted Upload of File with Dangerous Type vulnerability in Unlimited-Elements Unlimited Elements for Elementor (Free Widgets, Addons, Templates)

Unrestricted Upload of File with Dangerous Type vulnerability in Unlimited Elements Unlimited Elements For Elementor (Free Widgets, Addons, Templates).This issue affects Unlimited Elements For Elementor (Free Widgets, Addons, Templates): from n/a through 1.5.65.

6.5
2023-12-20 CVE-2023-30872 Bannersky SQL Injection vulnerability in Bannersky BSK Forms Blacklist

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in BannerSky BSK Forms Blacklist.This issue affects BSK Forms Blacklist: from n/a through 3.6.2.

6.5
2023-12-20 CVE-2023-41796 Sunshinephotocart Authorization Bypass Through User-Controlled Key vulnerability in Sunshinephotocart Sunshine Photo Cart

Authorization Bypass Through User-Controlled Key vulnerability in WP Sunshine Sunshine Photo Cart: Free Client Galleries for Photographers.This issue affects Sunshine Photo Cart: Free Client Galleries for Photographers: from n/a before 3.0.0.

6.5
2023-12-20 CVE-2023-46311 Gvectors Authorization Bypass Through User-Controlled Key vulnerability in Gvectors Wpdiscuz

Authorization Bypass Through User-Controlled Key vulnerability in gVectors Team Comments – wpDiscuz.This issue affects Comments – wpDiscuz: from n/a through 7.6.3.

6.5
2023-12-20 CVE-2023-6910 M Files Unspecified vulnerability in M-Files Server

A vulnerable API method in M-Files Server before 23.12.13195.0 allows for uncontrolled resource consumption.

6.5
2023-12-20 CVE-2023-47161 IBM Improper Input Validation vulnerability in IBM Urbancode Deploy

IBM UrbanCode Deploy (UCD) 7.1 through 7.1.2.14, 7.2 through 7.2.3.7, and 7.3 through 7.3.2.2 may mishandle input validation of an uploaded archive file leading to a denial of service due to resource exhaustion.

6.5
2023-12-19 CVE-2022-43450 XWP Authorization Bypass Through User-Controlled Key vulnerability in XWP Stream

Authorization Bypass Through User-Controlled Key vulnerability in XWP Stream.This issue affects Stream: from n/a through 3.9.2.

6.5
2023-12-19 CVE-2023-47146 IBM Unspecified vulnerability in IBM Qradar Security Information and Event Manager 7.5.0

IBM Qradar SIEM 7.5 could allow a privileged user to obtain sensitive domain information due to data being misidentified.

6.5
2023-12-19 CVE-2023-25715 Gamipress Missing Authorization vulnerability in Gamipress

Missing Authorization vulnerability in GamiPress GamiPress – The #1 gamification plugin to reward points, achievements, badges & ranks in WordPress.This issue affects GamiPress – The #1 gamification plugin to reward points, achievements, badges & ranks in WordPress: from n/a through 2.5.6.

6.5
2023-12-19 CVE-2023-6860 Mozilla
Debian
The `VideoBridge` allowed any content process to use textures produced by remote decoders.
6.5
2023-12-19 CVE-2023-6865 Mozilla
Debian
`EncryptingOutputStream` was susceptible to exposing uninitialized data.
6.5
2023-12-19 CVE-2023-6869 Mozilla Unspecified vulnerability in Mozilla Firefox

A `<dialog>` element could have been manipulated to paint content outside of a sandboxed iframe.

6.5
2023-12-19 CVE-2023-6872 Mozilla Unspecified vulnerability in Mozilla Firefox

Browser tab titles were being leaked by GNOME to system logs.

6.5
2023-12-19 CVE-2023-46104 Apache Resource Exhaustion vulnerability in Apache Superset

Uncontrolled resource consumption can be triggered by authenticated attacker that uploads a malicious ZIP to import database, dashboards or datasets.   This vulnerability exists in Apache Superset versions up to and including 2.1.2 and versions 3.0.0, 3.0.1.

6.5
2023-12-19 CVE-2023-49006 Phpsysinfo Cross-Site Request Forgery (CSRF) vulnerability in PHPsysinfo 3.4.3

Cross Site Request Forgery (CSRF) vulnerability in Phpsysinfo version 3.4.3 allows a remote attacker to obtain sensitive information via a crafted page in the XML.php file.

6.5
2023-12-19 CVE-2023-49734 Apache Incorrect Authorization vulnerability in Apache Superset

An authenticated Gamma user has the ability to create a dashboard and add charts to it, this user would automatically become one of the owners of the charts allowing him to incorrectly have write permissions to these charts.This issue affects Apache Superset: before 2.1.2, from 3.0.0 before 3.0.2. Users are recommended to upgrade to version 3.0.2 or 2.1.3, which fixes the issue.

6.5
2023-12-18 CVE-2023-47558 Lindeni SQL Injection vulnerability in Lindeni WHO HIT the Page - HIT Counter

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Mahlamusa Who Hit The Page – Hit Counter allows SQL Injection.This issue affects Who Hit The Page – Hit Counter: from n/a through 1.4.14.3.

6.5
2023-12-18 CVE-2023-6077 Wpfrank Unspecified vulnerability in Wpfrank Slider Factory PRO

The Slider WordPress plugin before 3.5.12 does not ensure that posts to be accessed via an AJAX action are slides and can be viewed by the user making the request, allowing any authenticated users, such as subscriber to access the content arbitrary post such as private, draft and password protected

6.5
2023-12-18 CVE-2023-51385 Openbsd
Debian
OS Command Injection vulnerability in multiple products

In ssh in OpenSSH before 9.6, OS command injection might occur if a user name or host name has shell metacharacters, and this name is referenced by an expansion token in certain situations.

6.5
2023-12-18 CVE-2022-40312 Givewp Server-Side Request Forgery (SSRF) vulnerability in Givewp

Server-Side Request Forgery (SSRF) vulnerability in GiveWP GiveWP – Donation Plugin and Fundraising Platform.This issue affects GiveWP – Donation Plugin and Fundraising Platform: from n/a through 2.25.1.

6.5
2023-12-18 CVE-2023-3628 Redhat
Infinispan
A flaw was found in Infinispan's REST.
6.5
2023-12-18 CVE-2023-3629 Redhat
Infinispan
A flaw was found in Infinispan's REST, Cache retrieval endpoints do not properly evaluate the necessary admin permissions for the operation.
6.5
2023-12-18 CVE-2023-5236 Redhat
Infinispan
A flaw was found in Infinispan, which does not detect circular object references when unmarshalling.
6.5
2023-12-21 CVE-2023-50732 Xwiki Incorrect Authorization vulnerability in Xwiki

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it.

6.3
2023-12-18 CVE-2023-5115 Redhat
Debian
Path Traversal vulnerability in multiple products

An absolute path traversal attack exists in the Ansible automation platform.

6.3
2023-12-23 CVE-2014-125108 W3 Cross-site Scripting vulnerability in W3 Spell Checker

A vulnerability was found in w3c online-spellchecker-py up to 20140130.

6.1
2023-12-22 CVE-2023-50727 Resque Cross-site Scripting vulnerability in Resque

Resque is a Redis-backed Ruby library for creating background jobs, placing them on multiple queues, and processing them later.

6.1
2023-12-22 CVE-2023-50725 Resque Cross-site Scripting vulnerability in Resque

Resque is a Redis-backed Ruby library for creating background jobs, placing them on multiple queues, and processing them later.

6.1
2023-12-22 CVE-2023-50250 Cacti Cross-site Scripting vulnerability in Cacti 1.2.25

Cacti is an open source operational monitoring and fault management framework.

6.1
2023-12-22 CVE-2023-7076 MY AAC Cross-site Scripting vulnerability in My-Aac Myaac

A vulnerability was found in slawkens MyAAC up to 0.8.13.

6.1
2023-12-22 CVE-2023-7075 Code Projects Cross-site Scripting vulnerability in Code-Projects Point of Sales and Inventory Management System 1.0

A vulnerability was found in code-projects Point of Sales and Inventory Management System 1.0 and classified as problematic.

6.1
2023-12-22 CVE-2023-50569 Cacti Cross-site Scripting vulnerability in Cacti 1.2.25

Reflected Cross Site Scripting (XSS) vulnerability in Cacti v1.2.25, allows remote attackers to escalate privileges when uploading an xml template file via templates_import.php.

6.1
2023-12-22 CVE-2023-7057 Carmelogarcia Cross-site Scripting vulnerability in Carmelogarcia Faculty Management System 1.0

A vulnerability, which was classified as problematic, has been found in code-projects Faculty Management System 1.0.

6.1
2023-12-22 CVE-2023-51704 Mediawiki Cross-site Scripting vulnerability in Mediawiki

An issue was discovered in MediaWiki before 1.35.14, 1.36.x through 1.39.x before 1.39.6, and 1.40.x before 1.40.2.

6.1
2023-12-21 CVE-2023-37520 Hcltech Cross-site Scripting vulnerability in Hcltech Bigfix Platform

Unauthenticated Stored Cross-Site Scripting (XSS) vulnerability identified in BigFix Server version 9.5.12.68, allowing for potential data exfiltration.

6.1
2023-12-21 CVE-2023-37519 Hcltech Cross-site Scripting vulnerability in Hcltech Bigfix Platform

Unauthenticated Stored Cross-Site Scripting (XSS) vulnerability.

6.1
2023-12-21 CVE-2023-50724 Resque Cross-site Scripting vulnerability in Resque

Resque (pronounced like "rescue") is a Redis-backed library for creating background jobs, placing those jobs on multiple queues, and processing them later.

6.1
2023-12-21 CVE-2023-6122 Softomi Cross-site Scripting vulnerability in Softomi Advanced C2C Marketplace Software

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ?stanbul Soft Informatics and Consultancy Limited Company Softomi Geli?mi? C2C Pazaryeri Yaz?l?m? allows Reflected XSS.This issue affects Softomi Geli?mi? C2C Pazaryeri Yaz?l?m?: before 12122023.

6.1
2023-12-21 CVE-2023-5988 Uyumsoft Cross-site Scripting vulnerability in Uyumsoft Lioxerp

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Uyumsoft Information System and Technologies LioXERP allows Reflected XSS.This issue affects LioXERP: before v.146.

6.1
2023-12-21 CVE-2023-5989 Uyumsoft Cross-site Scripting vulnerability in Uyumsoft Lioxerp

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Uyumsoft Information System and Technologies LioXERP allows Stored XSS.This issue affects LioXERP: before v.146.

6.1
2023-12-20 CVE-2023-50704 Efacec Open Redirect vulnerability in Efacec UC 500E Firmware 10.1.0

An attacker could construct a URL within the application that causes a redirection to an arbitrary external domain and could be leveraged to facilitate phishing attacks against application users.

6.1
2023-12-19 CVE-2023-46624 Parcelpro Open Redirect vulnerability in Parcelpro Parcel PRO

URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Parcel Pro.This issue affects Parcel Pro: from n/a through 1.6.11.

6.1
2023-12-19 CVE-2023-35883 Magazine3 Open Redirect vulnerability in Magazine3 Core web Vitals & Pagespeed Booster 1.0.12

URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Magazine3 Core Web Vitals & PageSpeed Booster.This issue affects Core Web Vitals & PageSpeed Booster: from n/a through 1.0.12.

6.1
2023-12-19 CVE-2023-37982 Crmperks Open Redirect vulnerability in Crmperks Integration for Salesforce and Contact Form 7, Wpforms, Elementor, Ninja Forms 1.3.3

URL Redirection to Untrusted Site ('Open Redirect') vulnerability in CRM Perks Integration for Salesforce and Contact Form 7, WPForms, Elementor, Ninja Forms.This issue affects Integration for Salesforce and Contact Form 7, WPForms, Elementor, Ninja Forms: from n/a through 1.3.3.

6.1
2023-12-19 CVE-2023-38478 Crmperks Open Redirect vulnerability in Crmperks Integration for Woocommerce and Quickbooks 1.2.3

URL Redirection to Untrusted Site ('Open Redirect') vulnerability in CRM Perks Integration for WooCommerce and QuickBooks.This issue affects Integration for WooCommerce and QuickBooks: from n/a through 1.2.3.

6.1
2023-12-19 CVE-2023-38481 Crmperks Open Redirect vulnerability in Crmperks Integration for Woocommerce and Zoho Crm, Books, Invoice, Inventory, Bigin

URL Redirection to Untrusted Site ('Open Redirect') vulnerability in CRM Perks Integration for WooCommerce and Zoho CRM, Books, Invoice, Inventory, Bigin.This issue affects Integration for WooCommerce and Zoho CRM, Books, Invoice, Inventory, Bigin: from n/a before 1.3.7.

6.1
2023-12-19 CVE-2023-40602 Doofinder Open Redirect vulnerability in Doofinder

URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Doofinder Doofinder WP & WooCommerce Search.This issue affects Doofinder WP & WooCommerce Search: from n/a through 1.5.49.

6.1
2023-12-19 CVE-2023-41648 Swapnilpatil Open Redirect vulnerability in Swapnilpatil Login and Logout Redirect

URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Swapnil V.

6.1
2023-12-19 CVE-2023-45105 Servit Open Redirect vulnerability in Servit Affiliate-Toolkit

URL Redirection to Untrusted Site ('Open Redirect') vulnerability in SERVIT Software Solutions affiliate-toolkit – WordPress Affiliate Plugin.This issue affects affiliate-toolkit – WordPress Affiliate Plugin: from n/a through 3.3.9.

6.1
2023-12-19 CVE-2023-6867 Mozilla
Debian
Improper Restriction of Rendered UI Layers or Frames vulnerability in multiple products

The timing of a button click causing a popup to disappear was approximately the same length as the anti-clickjacking delay on permission prompts.

6.1
2023-12-19 CVE-2023-49489 Kodcloud Cross-site Scripting vulnerability in Kodcloud Kodexplorer 4.51

Reflective Cross Site Scripting (XSS) vulnerability in KodExplorer version 4.51, allows attackers to obtain sensitive information and escalate privileges via the APP_HOST parameter at config/i18n/en/main.php.

6.1
2023-12-19 CVE-2023-50376 Simple Membership Plugin Cross-site Scripting vulnerability in Simple-Membership-Plugin Simple Membership

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in smp7, wp.Insider Simple Membership allows Reflected XSS.This issue affects Simple Membership: from n/a through 4.3.8.

6.1
2023-12-18 CVE-2023-6927 Redhat Open Redirect vulnerability in Redhat Keycloak and Single Sign-On

A flaw was found in Keycloak.

6.1
2023-12-18 CVE-2023-5348 Multivendorx Cross-site Scripting vulnerability in Multivendorx Product Catalog Mode for Woocommerce

The Product Catalog Mode For WooCommerce WordPress plugin before 5.0.3 does not properly authorize settings updates or escape settings values, leading to stored XSS by unauthenticated users.

6.1
2023-12-23 CVE-2023-7008 Systemd Project Unspecified vulnerability in Systemd Project Systemd 25

A vulnerability was found in systemd-resolved.

5.9
2023-12-20 CVE-2023-50703 Efacec Cleartext Transmission of Sensitive Information vulnerability in Efacec UC 500E Firmware 10.1.0

An attacker with network access could perform a man-in-the-middle (MitM) attack and capture sensitive information to gain unauthorized access to the application.

5.9
2023-12-18 CVE-2023-48795 Openbsd
Putty
Filezilla Project
Microsoft
Panic
Roumenpetrov
Winscp
Bitvise
Lancom Systems
Vandyke
Libssh
NET SSH
Ssh2 Project
Proftpd
Freebsd
Crates
Tera Term Project
Oryx Embedded
Crushftp
Netsarang
Paramiko
Redhat
Golang
Russh Project
Sftpgo Project
Erlang
Matez
Libssh2
Asyncssh Project
Dropbear SSH Project
Jadaptive
SSH
Thorntech
Netgate
Connectbot
Apache
Tinyssh
Trilead
Kitty Project
Gentoo
Improper Validation of Integrity Check Value vulnerability in multiple products

The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted (from the extension negotiation message), and a client and server may consequently end up with a connection for which some security features have been downgraded or disabled, aka a Terrapin attack.

5.9
2023-12-18 CVE-2023-35867 Bosch Unspecified vulnerability in Bosch products

An improper handling of a malformed API answer packets to API clients in Bosch BT software products can allow an unauthenticated attacker to cause a Denial of Service (DoS) situation.

5.9
2023-12-18 CVE-2023-50979 Cryptopp Information Exposure Through Discrepancy vulnerability in Cryptopp Crypto++

Crypto++ (aka cryptopp) through 8.9.0 has a Marvin side channel during decryption with PKCS#1 v1.5 padding.

5.9
2023-12-18 CVE-2023-6908 Dfirkuiper Path Traversal vulnerability in Dfirkuiper Kuiper 2.3.4

A vulnerability, which was classified as problematic, was found in DFIRKuiper Kuiper 2.3.4.

5.9
2023-12-21 CVE-2023-6746 Github Information Exposure Through Log Files vulnerability in Github Enterprise Server

An insertion of sensitive information into log file vulnerability was identified in the log files for a GitHub Enterprise Server back-end service that could permit an `adversary in the middle attack` when combined with other phishing techniques.

5.7
2023-12-19 CVE-2023-42940 Apple Unspecified vulnerability in Apple Macos

A session rendering issue was addressed with improved session tracking.

5.7
2023-12-22 CVE-2023-45165 IBM Unspecified vulnerability in IBM AIX 7.2/7.3

IBM AIX 7.2 and 7.3 could allow a non-privileged local user to exploit a vulnerability in the AIX SMB client to cause a denial of service.

5.5
2023-12-21 CVE-2023-6804 Github Improper Privilege Management vulnerability in Github Enterprise Server

Improper privilege management allowed arbitrary workflows to be committed and run using an improperly scoped PAT.

5.5
2023-12-21 CVE-2023-7042 Linux NULL Pointer Dereference vulnerability in Linux Kernel

A null pointer dereference vulnerability was found in ath10k_wmi_tlv_op_pull_mgmt_tx_compl_ev() in drivers/net/wireless/ath/ath10k/wmi-tlv.c in the Linux kernel.

5.5
2023-12-21 CVE-2023-4255 Tats
Fedoraproject
Out-of-bounds Write vulnerability in multiple products

An out-of-bounds write issue has been discovered in the backspace handling of the checkType() function in etc.c within the W3M application.

5.5
2023-12-21 CVE-2023-4256 Broadcom
Fedoraproject
Double Free vulnerability in multiple products

Within tcpreplay's tcprewrite, a double free vulnerability has been identified in the tcpedit_dlt_cleanup() function within plugins/dlt_plugins.c.

5.5
2023-12-20 CVE-2023-42012 IBM Unspecified vulnerability in IBM Urbancode Deploy

An IBM UrbanCode Deploy Agent 7.2 through 7.2.3.7, and 7.3 through 7.3.2.2 installed as a Windows service in a non-standard location could be subject to a denial of service attack by local accounts.

5.5
2023-12-19 CVE-2023-45172 IBM Unspecified vulnerability in IBM AIX and Vios

IBM AIX 7.2, 7.3, and VIOS 3.1 could allow a non-privileged local user to exploit a vulnerability in AIX windows to cause a denial of service.

5.5
2023-12-18 CVE-2023-51384 Openbsd Unspecified vulnerability in Openbsd Openssh

In ssh-agent in OpenSSH before 9.6, certain destination constraints can be incompletely applied.

5.5
2023-12-18 CVE-2023-6228 Libtiff Out-of-bounds Write vulnerability in Libtiff

An issue was found in the tiffcp utility distributed by the libtiff package where a crafted TIFF file on processing may cause a heap-based buffer overflow leads to an application crash.

5.5
2023-12-23 CVE-2020-36769 Porternovelli Cross-site Scripting vulnerability in Porternovelli Widget Settings Importer/Exporter

The Widget Settings Importer/Exporter Plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the wp_ajax_import_widget_dataparameter AJAX action in versions up to, and including, 1.5.3 due to insufficient input sanitization and output escaping.

5.4
2023-12-23 CVE-2023-6744 Elegantthemes Cross-site Scripting vulnerability in Elegantthemes Divi

The Divi theme for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'et_pb_text' shortcode in all versions up to, and including, 4.23.1 due to insufficient input sanitization and output escaping on user supplied custom field data.

5.4
2023-12-22 CVE-2023-50924 Engelsystem Cross-site Scripting vulnerability in Engelsystem

Englesystem is a shift planning system for chaos events.

5.4
2023-12-22 CVE-2023-50712 Dfir Iris Improper Neutralization of Alternate XSS Syntax vulnerability in Dfir-Iris Iris

Iris is a web collaborative platform aiming to help incident responders sharing technical details during investigations.

5.4
2023-12-22 CVE-2023-49791 Nextcloud Improper Access Control vulnerability in Nextcloud Server

Nextcloud Server provides data storage for Nextcloud, an open source cloud platform.

5.4
2023-12-22 CVE-2023-45957 Thirtybees Cross-site Scripting vulnerability in Thirtybees Thirty Bees 1.4.0

A stored cross-site scripting (XSS) vulnerability in the component admin/AdminRequestSqlController.php of thirty bees before 1.5.0 allows attackers to execute arbitrary web script or HTML via $e->getMessage() error mishandling.

5.4
2023-12-22 CVE-2023-7059 Remyandrade Cross-site Scripting vulnerability in Remyandrade School Visitor LOG E-Book 1.0

A vulnerability was found in SourceCodester School Visitor Log e-Book 1.0.

5.4
2023-12-22 CVE-2023-7055 Phpgurukul Incorrect Permission Assignment for Critical Resource vulnerability in PHPgurukul Online Notes Sharing System 1.0

A vulnerability classified as problematic has been found in PHPGurukul Online Notes Sharing System 1.0.

5.4
2023-12-22 CVE-2023-7056 Carmelogarcia Cross-site Scripting vulnerability in Carmelogarcia Faculty Management System 1.0

A vulnerability classified as problematic was found in code-projects Faculty Management System 1.0.

5.4
2023-12-22 CVE-2023-7054 Phpgurukul Cross-site Scripting vulnerability in PHPgurukul Online Notes Sharing System 1.0

A vulnerability was found in PHPGurukul Online Notes Sharing System 1.0.

5.4
2023-12-22 CVE-2023-49086 Cacti Cross-site Scripting vulnerability in Cacti 1.2.25

Cacti is a robust performance and fault management framework and a frontend to RRDTool - a Time Series Database (TSDB).

5.4
2023-12-21 CVE-2023-7050 Phpgurukul Cross-site Scripting vulnerability in PHPgurukul Online Notes Sharing System 1.0

A vulnerability has been found in PHPGurukul Online Notes Sharing System 1.0 and classified as problematic.

5.4
2023-12-21 CVE-2023-7041 Codelyfe Path Traversal: '../filedir' vulnerability in Codelyfe Stupid Simple CMS

A vulnerability, which was classified as critical, has been found in codelyfe Stupid Simple CMS up to 1.2.4.

5.4
2023-12-21 CVE-2023-50834 Augustinfotech Cross-site Scripting vulnerability in Augustinfotech Woocommerce Menu Extension

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in August Infotech WooCommerce Menu Extension allows Stored XSS.This issue affects WooCommerce Menu Extension: from n/a through 1.6.2.

5.4
2023-12-21 CVE-2023-50831 Villatheme Cross-site Scripting vulnerability in Villatheme Curcy

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in VillaTheme CURCY – Multi Currency for WooCommerce allows Stored XSS.This issue affects CURCY – Multi Currency for WooCommerce: from n/a through 2.2.0.

5.4
2023-12-21 CVE-2023-50833 Extendthemes Cross-site Scripting vulnerability in Extendthemes Colibri Page Builder 1.0.227/1.0.229

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ExtendThemes Colibri Page Builder allows Stored XSS.This issue affects Colibri Page Builder: from n/a through 1.0.239.

5.4
2023-12-21 CVE-2023-7036 Automad Cross-site Scripting vulnerability in Automad

A vulnerability was found in automad up to 1.10.9.

5.4
2023-12-21 CVE-2023-47525 Awplife Cross-site Scripting vulnerability in Awplife Event Monster

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in A WP Life Event Monster – Event Management, Tickets Booking, Upcoming Event allows Stored XSS.This issue affects Event Monster – Event Management, Tickets Booking, Upcoming Event: from n/a through 1.3.2.

5.4
2023-12-21 CVE-2023-47527 Sajjadhsagor Cross-site Scripting vulnerability in Sajjadhsagor WP Edit Username

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Sajjad Hossain Sagor WP Edit Username allows Stored XSS.This issue affects WP Edit Username: from n/a through 1.0.5.

5.4
2023-12-21 CVE-2023-48114 Smartertools Cross-site Scripting vulnerability in Smartertools Smartermail

SmarterTools SmarterMail 8495 through 8664 before 8747 allows stored XSS by using image/svg+xml and an uploaded SVG document.

5.4
2023-12-21 CVE-2023-48115 Smartertools Cross-site Scripting vulnerability in Smartertools Smartermail

SmarterTools SmarterMail 8495 through 8664 before 8747 allows stored DOM XSS because an XSS protection mechanism is skipped when messageHTML and messagePlainText are set in the same request.

5.4
2023-12-21 CVE-2023-48116 Smartertools Cross-site Scripting vulnerability in Smartertools Smartermail

SmarterTools SmarterMail 8495 through 8664 before 8747 allows stored XSS via a crafted description of a Calendar appointment.

5.4
2023-12-21 CVE-2023-50377 AB WP Cross-site Scripting vulnerability in Ab-Wp Simple Counter 1.0/1.0.1/1.0.2

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in AB-WP Simple Counter allows Stored XSS.This issue affects Simple Counter: from n/a through 1.0.2.

5.4
2023-12-21 CVE-2023-50822 Currencywiki Cross-site Scripting vulnerability in Currencywiki Currency Converter Widget - Exchange Rates 3.0.2

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Currency.Wiki Currency Converter Widget – Exchange Rates allows Stored XSS.This issue affects Currency Converter Widget – Exchange Rates: from n/a through 3.0.2.

5.4
2023-12-21 CVE-2023-50823 Wipeoutmedia Cross-site Scripting vulnerability in Wipeoutmedia CSS & Javascript Toolbox

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Wipeout Media CSS & JavaScript Toolbox allows Stored XSS.This issue affects CSS & JavaScript Toolbox: from n/a through 11.7.

5.4
2023-12-21 CVE-2023-50824 Elearningfreak Cross-site Scripting vulnerability in Elearningfreak Insert or Embed Articulate Content

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Brian Batt Insert or Embed Articulate Content into WordPress allows Stored XSS.This issue affects Insert or Embed Articulate Content into WordPress: from n/a through 4.3000000021.

5.4
2023-12-21 CVE-2023-50825 Jacksonwhelan Cross-site Scripting vulnerability in Jacksonwhelan Iframe Shortcode

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Terrier Tenacity iframe Shortcode allows Stored XSS.This issue affects iframe Shortcode: from n/a through 2.0.

5.4
2023-12-21 CVE-2023-7035 Automad Cross-site Scripting vulnerability in Automad

A vulnerability was found in automad up to 1.10.9 and classified as problematic.

5.4
2023-12-21 CVE-2023-50473 Billahmed Cross-site Scripting vulnerability in Billahmed Qbit Matui 1.16.4

Cross-Site Scripting (XSS) vulnerability in bill-ahmed qbit-matUI version 1.16.4, allows remote attackers to obtain sensitive information via fixed session identifiers (SID) in index.js file.

5.4
2023-12-21 CVE-2023-47265 Apache Cross-site Scripting vulnerability in Apache Airflow

Apache Airflow, versions 2.6.0 through 2.7.3 has a stored XSS vulnerability that allows a DAG author to add an unbounded and not-sanitized javascript in the parameter description field of the DAG. This Javascript can be executed on the client side of any of the user who looks at the tasks in the browser sandbox.

5.4
2023-12-21 CVE-2023-45700 Hcltechsw Cross-site Scripting vulnerability in Hcltechsw HCL Launch

HCL Launch is vulnerable to HTML injection.

5.4
2023-12-20 CVE-2023-50639 Iscute Cross-site Scripting vulnerability in Iscute Cute Http File Server 1.0/2.0

Cross Site Scripting (XSS) vulnerability in CuteHttpFileServer v.1.0 and v.2.0 allows attackers to obtain sensitive information via the file upload function in the home page.

5.4
2023-12-20 CVE-2023-49270 Kashipara Cross-site Scripting vulnerability in Kashipara Hotel Management 1.0

Hotel Management v1.0 is vulnerable to multiple authenticated Reflected Cross-Site Scripting vulnerabilities.

5.4
2023-12-20 CVE-2023-49271 Kashipara Cross-site Scripting vulnerability in Kashipara Hotel Management 1.0

Hotel Management v1.0 is vulnerable to multiple authenticated Reflected Cross-Site Scripting vulnerabilities.

5.4
2023-12-20 CVE-2023-49272 Kashipara Cross-site Scripting vulnerability in Kashipara Hotel Management 1.0

Hotel Management v1.0 is vulnerable to multiple authenticated Reflected Cross-Site Scripting vulnerabilities.

5.4
2023-12-20 CVE-2023-49269 Gvnpatidar Cross-site Scripting vulnerability in Gvnpatidar Hotel Management System 1.0

Hotel Management v1.0 is vulnerable to multiple authenticated Reflected Cross-Site Scripting vulnerabilities.

5.4
2023-12-20 CVE-2023-38513 Meowapps Authorization Bypass Through User-Controlled Key vulnerability in Meowapps Photo Engine

Authorization Bypass Through User-Controlled Key vulnerability in Jordy Meow Photo Engine (Media Organizer & Lightroom).This issue affects Photo Engine (Media Organizer & Lightroom): from n/a through 6.2.5.

5.4
2023-12-20 CVE-2023-51457 Adobe Cross-site Scripting vulnerability in Adobe Experience Manager

Adobe Experience Manager versions 6.5.18 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields.

5.4
2023-12-20 CVE-2023-51458 Adobe Cross-site Scripting vulnerability in Adobe Experience Manager

Adobe Experience Manager versions 6.5.18 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields.

5.4
2023-12-20 CVE-2023-51459 Adobe Cross-site Scripting vulnerability in Adobe Experience Manager

Adobe Experience Manager versions 6.5.18 and earlier are affected by a reflected Cross-Site Scripting (XSS) vulnerability.

5.4
2023-12-20 CVE-2023-51460 Adobe Cross-site Scripting vulnerability in Adobe Experience Manager

Adobe Experience Manager versions 6.5.18 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields.

5.4
2023-12-20 CVE-2023-51461 Adobe Cross-site Scripting vulnerability in Adobe Experience Manager

Adobe Experience Manager versions 6.5.18 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields.

5.4
2023-12-20 CVE-2023-51462 Adobe Cross-site Scripting vulnerability in Adobe Experience Manager

Adobe Experience Manager versions 6.5.18 and earlier are affected by a reflected Cross-Site Scripting (XSS) vulnerability.

5.4
2023-12-20 CVE-2023-47707 IBM Cross-site Scripting vulnerability in IBM Security Guardium KEY Lifecycle Manager 4.2.0

IBM Security Guardium Key Lifecycle Manager 4.3 is vulnerable to cross-site scripting.

5.4
2023-12-19 CVE-2023-5432 Gopiplus Cross-site Scripting vulnerability in Gopiplus Jquery News Ticker

The Jquery news ticker plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'jquery-news-ticker' shortcode in versions up to, and including, 3.1 due to insufficient input sanitization and output escaping on user supplied attributes.

5.4
2023-12-19 CVE-2023-5413 Gopiplus Cross-site Scripting vulnerability in Gopiplus Image Horizontal Reel Scroll Slideshow

The Image horizontal reel scroll slideshow plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'ihrss-gallery' shortcode in versions up to, and including, 13.3 due to insufficient input sanitization and output escaping on user supplied attributes.

5.4
2023-12-19 CVE-2023-6488 Getshortcodes Cross-site Scripting vulnerability in Getshortcodes Shortcodes Ultimate

The WP Shortcodes Plugin — Shortcodes Ultimate plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'su_button', 'su_members', and 'su_tabs' shortcodes in all versions up to, and including, 7.0.0 due to insufficient input sanitization and output escaping on user supplied attributes.

5.4
2023-12-18 CVE-2023-6778 Clear Cross-site Scripting vulnerability in Clear Clearml Server

Cross-site Scripting (XSS) - Stored in GitHub repository allegroai/clearml-server prior to 1.13.0.

5.4
2023-12-24 CVE-2023-51765 Sendmail
Freebsd
Redhat
Insufficient Verification of Data Authenticity vulnerability in multiple products

sendmail through 8.17.2 allows SMTP smuggling in certain configurations.

5.3
2023-12-24 CVE-2023-51766 Exim
Fedoraproject
Debian
Insufficient Verification of Data Authenticity vulnerability in multiple products

Exim before 4.97.1 allows SMTP smuggling in certain PIPELINING/CHUNKING configurations.

5.3
2023-12-24 CVE-2023-51764 Postfix
Fedoraproject
Redhat
Insufficient Verification of Data Authenticity vulnerability in multiple products

Postfix through 3.8.5 allows SMTP smuggling unless configured with smtpd_data_restrictions=reject_unauth_pipelining and smtpd_discard_ehlo_keywords=chunking (or certain other options that exist in recent versions).

5.3
2023-12-22 CVE-2023-50258 Pymedusa Server-Side Request Forgery (SSRF) vulnerability in Pymedusa Medusa

Medusa is an automatic video library manager for TV shows.

5.3
2023-12-22 CVE-2023-50259 Pymedusa Server-Side Request Forgery (SSRF) vulnerability in Pymedusa Medusa

Medusa is an automatic video library manager for TV shows.

5.3
2023-12-21 CVE-2023-27319 Netapp Information Exposure Through an Error Message vulnerability in Netapp Ontap Mediator

ONTAP Mediator versions prior to 1.7 are susceptible to a vulnerability that can allow an unauthenticated attacker to enumerate URLs via REST API.

5.3
2023-12-21 CVE-2023-46646 Github Authorization Bypass Through User-Controlled Key vulnerability in Github Enterprise Server

Improper access control in all versions of GitHub Enterprise Server allows unauthorized users to view private repository names via the "Get a check run" API endpoint.

5.3
2023-12-21 CVE-2023-41166 Stormshield Unspecified vulnerability in Stormshield Network Security

An issue was discovered in Stormshield Network Security (SNS) 3.7.0 through 3.7.39, 3.11.0 through 3.11.27, 4.3.0 through 4.3.22, 4.6.0 through 4.6.9, and 4.7.0 through 4.7.1.

5.3
2023-12-20 CVE-2023-47703 IBM Information Exposure Through an Error Message vulnerability in IBM Security Guardium KEY Lifecycle Manager 4.2.0

IBM Security Guardium Key Lifecycle Manager 4.3 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser.

5.3
2023-12-20 CVE-2023-42013 IBM Information Exposure Through an Error Message vulnerability in IBM Urbancode Deploy

IBM UrbanCode Deploy (UCD) 7.1 through 7.1.2.14, 7.2 through 7.2.3.7, and 7.3 through 7.3.2.2 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser.

5.3
2023-12-20 CVE-2023-50705 Efacec Incorrect Authorization vulnerability in Efacec UC 500E Firmware 10.1.0

An attacker could create malicious requests to obtain sensitive information about the web server.

5.3
2023-12-19 CVE-2023-6857 Mozilla
Debian
Race Condition vulnerability in multiple products

When resolving a symlink, a race may occur where the buffer passed to `readlink` may actually be smaller than necessary.

5.3
2023-12-19 CVE-2014-125107 Corveda Protection Mechanism Failure vulnerability in Corveda PHPsandbox 1.3.4

A vulnerability was found in Corveda PHPSandbox 1.3.4 and classified as critical.

5.3
2023-12-19 CVE-2023-6918 Libssh
Redhat
Fedoraproject
Unchecked Return Value vulnerability in multiple products

A flaw was found in the libssh implements abstract layer for message digest (MD) operations implemented by different supported crypto backends.

5.3
2023-12-18 CVE-2023-47741 IBM Insufficiently Protected Credentials vulnerability in IBM DB2 Mirror for I and I

IBM i 7.3, 7.4, 7.5, IBM i Db2 Mirror for i 7.4 and 7.5 web browser clients may leave clear-text passwords in browser memory that can be viewed using common browser tools before the memory is garbage collected.

5.3
2023-12-18 CVE-2023-6065 Quttera Unspecified vulnerability in Quttera web Malware Scanner

The Quttera Web Malware Scanner WordPress plugin before 3.4.2.1 doesn't restrict access to detailed scan logs, which allows a malicious actor to discover local paths and portions of the site's code

5.3
2023-12-18 CVE-2022-41677 Bosch Unspecified vulnerability in Bosch products

An information disclosure vulnerability was discovered in Bosch IP camera devices allowing an unauthenticated attacker to retrieve information (like capabilities) about the device itself and network settings of the device, disclosing possibly internal network settings if the device is connected to the internet.

5.3
2023-12-18 CVE-2023-28053 Dell Use of a Broken or Risky Cryptographic Algorithm vulnerability in Dell EMC Networker

Dell NetWorker Virtual Edition versions 19.8 and below contain the use of deprecated cryptographic algorithms in the SSH component.

5.3
2023-12-21 CVE-2023-46645 Github Path Traversal vulnerability in Github Enterprise Server

A path traversal vulnerability was identified in GitHub Enterprise Server that allowed arbitrary file reading when building a GitHub Pages site.

4.9
2023-12-21 CVE-2023-51379 Github Incorrect Authorization vulnerability in Github Enterprise Server

An incorrect authorization vulnerability was identified in GitHub Enterprise Server that allowed issue comments to be updated with an improperly scoped token.

4.9
2023-12-20 CVE-2023-32743 Woocommerce SQL Injection vulnerability in Woocommerce Automatewoo

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WooCommerce AutomateWoo.This issue affects AutomateWoo: from n/a through 5.7.1.

4.9
2023-12-20 CVE-2023-38519 Mainwp SQL Injection vulnerability in Mainwp Dashboard

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in MainWP MainWP Dashboard – WordPress Manager for Multiple Websites Maintenance.This issue affects MainWP Dashboard – WordPress Manager for Multiple Websites Maintenance: from n/a through 4.4.3.3.

4.9
2023-12-20 CVE-2023-47236 Ipages Flipbook Project SQL Injection vulnerability in Ipages Flipbook Project Ipages Flipbook

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Avirtum iPages Flipbook For WordPress.This issue affects iPages Flipbook For WordPress: from n/a through 1.4.8.

4.9
2023-12-18 CVE-2023-40691 IBM Unspecified vulnerability in IBM Cloud PAK for Business Automation

IBM Cloud Pak for Business Automation 18.0.0, 18.0.1, 18.0.2, 19.0.1, 19.0.2, 19.0.3, 20.0.1, 20.0.2, 20.0.3, 21.0.1, 21.0.2, 21.0.3, 22.0.1, and 22.0.2 may reveal sensitive information contained in application configuration to developer and administrator users.

4.9
2023-12-22 CVE-2023-49088 Cacti Cross-site Scripting vulnerability in Cacti

Cacti is an open source operational monitoring and fault management framework.

4.8
2023-12-21 CVE-2023-50829 Quick Plugins Cross-site Scripting vulnerability in Quick-Plugins Loan Repayment Calculator and Application Form

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Aerin Loan Repayment Calculator and Application Form allows Stored XSS.This issue affects Loan Repayment Calculator and Application Form: from n/a through 2.9.3.

4.8
2023-12-21 CVE-2023-50830 Seosthemes Cross-site Scripting vulnerability in Seosthemes Seos Contact Form

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Seosbg Seos Contact Form allows Stored XSS.This issue affects Seos Contact Form: from n/a through 1.8.0.

4.8
2023-12-21 CVE-2023-50832 Mondula Cross-site Scripting vulnerability in Mondula Multi Step Form

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Mondula GmbH Multi Step Form allows Stored XSS.This issue affects Multi Step Form: from n/a through 1.7.13.

4.8
2023-12-21 CVE-2023-50826 Freshlightlab Cross-site Scripting vulnerability in Freshlightlab Menu Image, Icons Made Easy

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Freshlight Lab Menu Image, Icons made easy allows Stored XSS.This issue affects Menu Image, Icons made easy: from n/a through 3.10.

4.8
2023-12-21 CVE-2023-50827 Accredible Cross-site Scripting vulnerability in Accredible Certificates & Open Badges

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Accredible Accredible Certificates & Open Badges allows Stored XSS.This issue affects Accredible Certificates & Open Badges: from n/a through 1.4.8.

4.8
2023-12-21 CVE-2023-50828 Davidvongries Cross-site Scripting vulnerability in Davidvongries Ultimate Dashboard

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in David Vongries Ultimate Dashboard – Custom WordPress Dashboard allows Stored XSS.This issue affects Ultimate Dashboard – Custom WordPress Dashboard: from n/a through 3.7.11.

4.8
2023-12-21 CVE-2023-28025 Hcltech Cross-site Scripting vulnerability in Hcltech Bigfix Modern Client Management 2.0/2.1

Due to this vulnerability, the Master operator could potentially incorporate an SVG tag into HTML, leading to an alert pop-up displaying a cookie.

4.8
2023-12-19 CVE-2023-6945 Mayurik Cross-site Scripting vulnerability in Mayurik Online Student Management System 1.0

A vulnerability has been found in SourceCodester Online Student Management System 1.0 and classified as problematic.

4.8
2023-12-18 CVE-2023-5005 Codesmade Cross-site Scripting vulnerability in Codesmade Autocomplete Location Field Contact Form 7

The Autocomplete Location field Contact Form 7 WordPress plugin before 3.0, autocomplete-location-field-contact-form-7-pro WordPress plugin before 2.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

4.8
2023-12-18 CVE-2023-6911 Wso2 Cross-site Scripting vulnerability in Wso2 products

Multiple WSO2 products have been identified as vulnerable due to improper output encoding, a Stored Cross Site Scripting (XSS) attack can be carried out by an attacker injecting a malicious payload into the Registry feature of the Management Console.

4.8
2023-12-20 CVE-2023-6769 MR Corner Cross-site Scripting vulnerability in Mr-Corner Amazing Little Poll 1.3/1.4

Stored XSS vulnerability in Amazing Little Poll, affecting versions 1.3 and 1.4.

4.6
2023-12-18 CVE-2023-41967 Gallagher Improper Cross-boundary Removal of Sensitive Data vulnerability in Gallagher Controller 6000 Firmware

Sensitive information uncleared after debug/power state transition in the Controller 6000 could be abused by an attacker with knowledge of the Controller's default diagnostic password and physical access to the Controller to view its configuration through the diagnostic web pages.

4.6
2023-12-21 CVE-2023-7047 Devolutions Unspecified vulnerability in Devolutions Remote Desktop Manager

Inadequate validation of permissions when employing remote tools and macros via the context menu within Devolutions Remote Desktop Manager versions 2023.3.31 and earlier permits a user to initiate a connection without proper execution rights via the remote tools feature.

4.4
2023-12-24 CVE-2023-7092 Uniwayinfo Cross-Site Request Forgery (CSRF) vulnerability in Uniwayinfo Uw-302Vp Firmware 2.0

A vulnerability was found in Uniway UW-302VP 2.0.

4.3
2023-12-22 CVE-2023-51451 Sentry Server-Side Request Forgery (SSRF) vulnerability in Sentry Symbolicator 0.3.3/23.11.2

Symbolicator is a service used in Sentry.

4.3
2023-12-22 CVE-2023-49790 Nextcloud Improper Authentication vulnerability in Nextcloud

The Nextcloud iOS Files app allows users of iOS to interact with Nextcloud, a self-hosted productivity platform.

4.3
2023-12-22 CVE-2023-51649 Networktocode Incorrect Authorization vulnerability in Networktocode Nautobot

Nautobot is a Network Source of Truth and Network Automation Platform built as a web application atop the Django Python framework with a PostgreSQL or MySQL database.

4.3
2023-12-22 CVE-2023-7052 Phpgurukul Cross-Site Request Forgery (CSRF) vulnerability in PHPgurukul Online Notes Sharing System 1.0

A vulnerability was found in PHPGurukul Online Notes Sharing System 1.0.

4.3
2023-12-21 CVE-2023-7051 Phpgurukul Cross-Site Request Forgery (CSRF) vulnerability in PHPgurukul Online Notes Sharing System 1.0

A vulnerability was found in PHPGurukul Online Notes Sharing System 1.0 and classified as problematic.

4.3
2023-12-21 CVE-2023-51380 Github Incorrect Authorization vulnerability in Github Enterprise Server

An incorrect authorization vulnerability was identified in GitHub Enterprise Server that allowed issue comments to be read with an improperly scoped token. This vulnerability affected all versions of GitHub Enterprise Server since 3.7 and was fixed in version 3.17.19, 3.8.12, 3.9.7, 3.10.4, and 3.11.1. 

4.3
2023-12-21 CVE-2023-48291 Apache Exposure of Resource to Wrong Sphere vulnerability in Apache Airflow

Apache Airflow, in versions prior to 2.8.0, contains a security vulnerability that allows an authenticated user with limited access to some DAGs, to craft a request that could give the user write access to various DAG resources for DAGs that the user had no access to, thus, enabling the user to clear DAGs they shouldn't. This is a missing fix for CVE-2023-42792 in Apache Airflow 2.7.2  Users of Apache Airflow are strongly advised to upgrade to version 2.8.0 or newer to mitigate the risk associated with this vulnerability.

4.3
2023-12-20 CVE-2023-6784 Progress Unspecified vulnerability in Progress Sitefinity

A malicious user could potentially use the Sitefinity system for the distribution of phishing emails.

4.3
2023-12-20 CVE-2023-47705 IBM Improper Input Validation vulnerability in IBM Security Guardium KEY Lifecycle Manager 4.2.0

IBM Security Guardium Key Lifecycle Manager 4.3 could allow an authenticated user to manipulate username data due to improper input validation.

4.3
2023-12-20 CVE-2023-50706 Efacec Unspecified vulnerability in Efacec UC 500E Firmware 10.1.0

A user without administrator permissions with access to the UC500 windows system could perform a memory dump of the running processes and extract clear credentials or valid session tokens.

4.3
2023-12-19 CVE-2023-50761 Mozilla
Debian
The signature of a digitally signed S/MIME email message may optionally specify the signature creation date and time.
4.3
2023-12-19 CVE-2023-50762 Mozilla
Debian
When processing a PGP/MIME payload that contains digitally signed text, the first paragraph of the text was never shown to the user.
4.3
2023-12-19 CVE-2023-6135 Mozilla Information Exposure Through Discrepancy vulnerability in Mozilla Firefox

Multiple NSS NIST curves were susceptible to a side-channel attack known as "Minerva".

4.3
2023-12-19 CVE-2023-6868 Mozilla Unspecified vulnerability in Mozilla Firefox

In some instances, the user-agent would allow push requests which lacked a valid VAPID even though the push manager subscription defined one.

4.3
2023-12-19 CVE-2023-6870 Mozilla Unspecified vulnerability in Mozilla Firefox

Applications which spawn a Toast notification in a background thread may have obscured fullscreen notifications displayed by Firefox.

4.3
2023-12-19 CVE-2023-6871 Mozilla Unspecified vulnerability in Mozilla Firefox

Under certain conditions, Firefox did not display a warning when a user attempted to navigate to a new protocol handler.

4.3
2023-12-19 CVE-2019-25157 Ethex Improper Access Control vulnerability in Ethex Contracts

A vulnerability was found in Ethex Contracts.

4.3
2023-12-19 CVE-2023-42015 IBM Cross-site Scripting vulnerability in IBM Urbancode Deploy

IBM UrbanCode Deploy (UCD) 7.1 through 7.1.2.14, 7.2 through 7.2.3.7, and 7.3 through 7.3.2.2 is vulnerable to HTML injection.

4.3
2023-12-18 CVE-2023-22439 Gallagher Improper Input Validation vulnerability in Gallagher Command Centre and Controller 6000 Firmware

Improper input validation of a large HTTP request in the Controller 6000 and Controller 7000 optional diagnostic web interface (Port 80) can be used to perform a Denial of Service of the diagnostic web interface. This issue affects: Gallagher Controller 6000 and 7000 8.90 prior to vCR8.90.231204a (distributed in 8.90.1620 (MR2)), 8.80 prior to vCR8.80.231204a (distributed in 8.80.1369 (MR3)), 8.70 prior to vCR8.70.231204a (distributed in 8.70.2375 (MR5)), 8.60 prior to vCR8.60.231116a (distributed in 8.60.2550 (MR7)), all versions of 8.50 and prior.

4.3
2023-12-18 CVE-2023-23576 Gallagher Unspecified vulnerability in Gallagher Command Centre

Incorrect behavior order in the Command Centre Server could allow privileged users to gain physical access to the site for longer than intended after a network outage when competencies are used in the access decision.

4.3
2023-12-18 CVE-2023-23584 Gallagher Information Exposure Through Discrepancy vulnerability in Gallagher Command Centre

An observable response discrepancy in the Gallagher Command Centre RESTAPI allows an insufficiently-privileged user to infer the presence of items that would not otherwise be viewable.

4.3
2023-12-18 CVE-2023-6289 Swteplugins Unspecified vulnerability in Swteplugins Swift Performance

The Swift Performance Lite WordPress plugin before 2.3.6.15 does not prevent users from exporting the plugin's settings, which may include sensitive information such as Cloudflare API tokens.

4.3
2023-12-18 CVE-2023-5056 Redhat Missing Authorization vulnerability in Redhat Service Interconnect 1.0

A flaw was found in the Skupper operator, which may permit a certain configuration to create a service account that would allow an authenticated attacker in the adjacent cluster to view deployments in all namespaces in the cluster.

4.1
2023-12-21 CVE-2023-6803 Github Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in Github Enterprise Server

A race condition in GitHub Enterprise Server allows an outside collaborator to be added while a repository is being transferred.

4.0

5 Low Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2023-12-19 CVE-2022-45809 Quicoto Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in Quicoto Thumbs Rating 5.0.0

Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in Ricard Torres Thumbs Rating.This issue affects Thumbs Rating: from n/a through 5.0.0.

3.7
2023-12-22 CVE-2023-51386 Amazon Improper Privilege Management vulnerability in Amazon Awslabs Sandbox Accounts for Events

Sandbox Accounts for Events provides multiple, temporary AWS accounts to a number of authenticated users simultaneously via a browser-based GUI.

3.3
2023-12-22 CVE-2023-51651 Amazon Path Traversal vulnerability in Amazon AWS Software Development KIT

AWS SDK for PHP is the Amazon Web Services software development kit for PHP.

3.3
2023-12-18 CVE-2023-5384 Redhat
Infinispan
Cleartext Storage of Sensitive Information vulnerability in multiple products

A flaw was found in Infinispan.

2.7
2023-12-21 CVE-2023-6690 Github Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in Github Enterprise Server

A race condition in GitHub Enterprise Server allowed an existing admin to maintain permissions on transferred repositories by making a GraphQL mutation to alter repository permissions during the transfer. This vulnerability affected GitHub Enterprise Server version 3.8.0 and above and was fixed in version 3.8.12, 3.9.7, 3.10.4, and 3.11.1.

2.0