Weekly Vulnerabilities Reports > January 1 to 7, 2024
Overview
387 new vulnerabilities reported during this period, including 72 critical vulnerabilities and 153 high severity vulnerabilities. This weekly summary report vulnerabilities in 660 products from 175 vendors including Kashipara, Qualcomm, Google, Paddlepaddle, and Qnap. Vulnerabilities are notably categorized as "Cross-site Scripting", "SQL Injection", "Out-of-bounds Write", "Cross-Site Request Forgery (CSRF)", and "Use After Free".
- 299 reported vulnerabilities are remotely exploitables.
- 128 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
- 230 reported vulnerabilities are exploitable by an anonymous user.
- Kashipara has the most reported vulnerabilities, with 34 reported vulnerabilities.
- Kashipara has the most reported critical vulnerabilities, with 18 reported vulnerabilities.
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
EXPLOITABLE
EXPLOITABLE
AVAILABLE
ANONYMOUSLY
WEB APPLICATION
Vulnerability Details
The following table list reported vulnerabilities for the period covered by this report:
72 Critical Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2024-01-07 | CVE-2024-0287 | Kashipara | SQL Injection vulnerability in Kashipara Food Management System 1.0 A vulnerability was found in Kashipara Food Management System 1.0. | 9.8 |
2024-01-07 | CVE-2023-7212 | Dedecms | Unrestricted Upload of File with Dangerous Type vulnerability in Dedecms A vulnerability classified as critical has been found in DeDeCMS up to 5.7.112. | 9.8 |
2024-01-07 | CVE-2023-7210 | Onenav | Improper Authentication vulnerability in Onenav A vulnerability was found in OneNav up to 0.9.33. | 9.8 |
2024-01-07 | CVE-2024-0268 | Surajghosh | SQL Injection vulnerability in Surajghosh Hospital Management System A vulnerability, which was classified as critical, has been found in Kashipara Hospital Management System up to 1.0. | 9.8 |
2024-01-07 | CVE-2023-7208 | Totolink | Out-of-bounds Write vulnerability in Totolink X2000R Firmware 2.0.0B20230727.10434 A vulnerability classified as critical was found in Totolink X2000R_V2 2.0.0-B20230727.10434. | 9.8 |
2024-01-07 | CVE-2024-0267 | Surajghosh | SQL Injection vulnerability in Surajghosh Hospital Management System A vulnerability classified as critical was found in Kashipara Hospital Management System up to 1.0. | 9.8 |
2024-01-07 | CVE-2024-0264 | Oretnom23 | Authorization Bypass Through User-Controlled Key vulnerability in Oretnom23 Clinic Queuing System 1.0 A vulnerability was found in SourceCodester Clinic Queuing System 1.0. | 9.8 |
2024-01-06 | CVE-2023-46953 | Abocms | SQL Injection vulnerability in Abocms Abo.Cms 5.9.3 SQL Injection vulnerability in ABO.CMS v.5.9.3, allows remote attackers to execute arbitrary code via the d parameter in the Documents module. | 9.8 |
2024-01-05 | CVE-2024-0247 | Online Food Ordering System Project | SQL Injection vulnerability in Online Food Ordering System Project Online Food Ordering System 1.0 A vulnerability classified as critical was found in CodeAstro Online Food Ordering System 1.0. | 9.8 |
2024-01-05 | CVE-2022-46839 | Wiselyhub | Unrestricted Upload of File with Dangerous Type vulnerability in Wiselyhub JS Help Desk Unrestricted Upload of File with Dangerous Type vulnerability in JS Help Desk JS Help Desk – Best Help Desk & Support Plugin.This issue affects JS Help Desk – Best Help Desk & Support Plugin: from n/a through 2.7.1. | 9.8 |
2024-01-05 | CVE-2023-51673 | Stylishpricelist | Unspecified vulnerability in Stylishpricelist Stylish Price List Cross-Site Request Forgery (CSRF) vulnerability in Designful Stylish Price List – Price Table Builder & QR Code Restaurant Menu.This issue affects Stylish Price List – Price Table Builder & QR Code Restaurant Menu: from n/a through 7.0.17. | 9.8 |
2024-01-05 | CVE-2020-13880 | Irfanview | Out-of-bounds Write vulnerability in Irfanview B3D IrfanView B3D PlugIns before version 4.56 has a B3d.dll!+1cbf heap-based out-of-bounds write. | 9.8 |
2024-01-05 | CVE-2023-50027 | BUY Addons | SQL Injection vulnerability in Buy-Addons Bazoom Magnifier SQL Injection vulnerability in Buy Addons baproductzoommagnifier module for PrestaShop versions 1.0.16 and before, allows remote attackers to escalate privileges and gain sensitive information via BaproductzoommagnifierZoomModuleFrontController::run() method. | 9.8 |
2024-01-05 | CVE-2020-13878 | Irfanview | Out-of-bounds Write vulnerability in Irfanview B3D IrfanView B3D PlugIns before version 4.56 has a B3d.dll!+27ef heap-based out-of-bounds write. | 9.8 |
2024-01-05 | CVE-2020-13879 | Irfanview | Out-of-bounds Write vulnerability in Irfanview B3D IrfanView B3D PlugIns before version 4.56 has a B3d.dll!+214f heap-based out-of-bounds write. | 9.8 |
2024-01-05 | CVE-2023-51502 | Automattic | Authorization Bypass Through User-Controlled Key vulnerability in Automattic Woocommerce Stripe 7.6.1 Authorization Bypass Through User-Controlled Key vulnerability in WooCommerce WooCommerce Stripe Payment Gateway.This issue affects WooCommerce Stripe Payment Gateway: from n/a through 7.6.1. | 9.8 |
2024-01-05 | CVE-2023-51277 | Tinowagner | Unspecified vulnerability in Tinowagner Jupyter Notebook Viewer nbviewer-app (aka Jupyter Notebook Viewer) before 0.1.6 has the get-task-allow entitlement for release builds. | 9.8 |
2024-01-05 | CVE-2024-22086 | Hayyp | Out-of-bounds Write vulnerability in Hayyp Cherry 20210105 handle_request in http.c in cherry through 4b877df has an sscanf stack-based buffer overflow via a long URI, leading to remote code execution. | 9.8 |
2024-01-05 | CVE-2024-22087 | Alekseykurepin | Out-of-bounds Write vulnerability in Alekseykurepin Pico Http Server in C 20210402 route in main.c in Pico HTTP Server in C through f3b69a6 has an sprintf stack-based buffer overflow via a long URI, leading to remote code execution. | 9.8 |
2024-01-05 | CVE-2024-22088 | Chendotjs | Use After Free vulnerability in Chendotjs Lotos Webserver 0.1.0/0.1.1 Lotos WebServer through 0.1.1 (commit 3eb36cc) has a use-after-free in buffer_avail() at buffer.h via a long URI, because realloc is mishandled. | 9.8 |
2024-01-04 | CVE-2024-22051 | Github Gjtorikian | Integer Overflow or Wraparound vulnerability in multiple products CommonMarker versions prior to 0.23.4 are at risk of an integer overflow vulnerability. | 9.8 |
2024-01-04 | CVE-2023-51154 | Jizhicms | Unspecified vulnerability in Jizhicms 2.5.0 Jizhicms v2.5 was discovered to contain an arbitrary file download vulnerability via the component /admin/c/PluginsController.php. | 9.8 |
2024-01-04 | CVE-2023-51812 | Tenda | Unspecified vulnerability in Tenda AX3 Firmware 16.03.12.11 Tenda AX3 v16.03.12.11 was discovered to contain a remote code execution (RCE) vulnerability via the list parameter at /goform/SetNetControlList. | 9.8 |
2024-01-04 | CVE-2023-50862 | Kashipara | SQL Injection vulnerability in Kashipara Travel Website 1.0 Travel Website v1.0 is vulnerable to multiple Unauthenticated SQL Injection vulnerabilities. | 9.8 |
2024-01-04 | CVE-2023-50863 | Kashipara | SQL Injection vulnerability in Kashipara Travel Website 1.0 Travel Website v1.0 is vulnerable to multiple Unauthenticated SQL Injection vulnerabilities. | 9.8 |
2024-01-04 | CVE-2023-50864 | Kashipara | SQL Injection vulnerability in Kashipara Travel Website 1.0 Travel Website v1.0 is vulnerable to multiple Unauthenticated SQL Injection vulnerabilities. | 9.8 |
2024-01-04 | CVE-2023-50865 | Kashipara | SQL Injection vulnerability in Kashipara Travel Website 1.0 Travel Website v1.0 is vulnerable to multiple Unauthenticated SQL Injection vulnerabilities. | 9.8 |
2024-01-04 | CVE-2023-50866 | Kashipara | SQL Injection vulnerability in Kashipara Travel Website 1.0 Travel Website v1.0 is vulnerable to multiple Unauthenticated SQL Injection vulnerabilities. | 9.8 |
2024-01-04 | CVE-2023-50867 | Kashipara | SQL Injection vulnerability in Kashipara Travel Website 1.0 Travel Website v1.0 is vulnerable to multiple Unauthenticated SQL Injection vulnerabilities. | 9.8 |
2024-01-04 | CVE-2023-49622 | Kashipara | SQL Injection vulnerability in Kashipara Billing Software 1.0 Billing Software v1.0 is vulnerable to multiple Unauthenticated SQL Injection vulnerabilities. The 'itemnameid' parameter of the material_bill.php?action=itemRelation resource does not validate the characters received and they are sent unfiltered to the database. | 9.8 |
2024-01-04 | CVE-2023-49624 | Kashipara | SQL Injection vulnerability in Kashipara Billing Software 1.0 Billing Software v1.0 is vulnerable to multiple Unauthenticated SQL Injection vulnerabilities. | 9.8 |
2024-01-04 | CVE-2023-49625 | Kashipara | SQL Injection vulnerability in Kashipara Billing Software 1.0 Billing Software v1.0 is vulnerable to multiple Unauthenticated SQL Injection vulnerabilities. | 9.8 |
2024-01-04 | CVE-2023-49633 | Kashipara | SQL Injection vulnerability in Kashipara Billing Software 1.0 Billing Software v1.0 is vulnerable to multiple Unauthenticated SQL Injection vulnerabilities. | 9.8 |
2024-01-04 | CVE-2023-49639 | Kashipara | SQL Injection vulnerability in Kashipara Billing Software 1.0 Billing Software v1.0 is vulnerable to multiple Unauthenticated SQL Injection vulnerabilities. | 9.8 |
2024-01-04 | CVE-2023-49658 | Kashipara | SQL Injection vulnerability in Kashipara Billing Software 1.0 Billing Software v1.0 is vulnerable to multiple Unauthenticated SQL Injection vulnerabilities. | 9.8 |
2024-01-04 | CVE-2023-49665 | Kashipara | SQL Injection vulnerability in Kashipara Billing Software 1.0 Billing Software v1.0 is vulnerable to multiple Unauthenticated SQL Injection vulnerabilities. | 9.8 |
2024-01-04 | CVE-2023-49666 | Kashipara | SQL Injection vulnerability in Kashipara Billing System 1.0 Billing Software v1.0 is vulnerable to multiple Unauthenticated SQL Injection vulnerabilities. | 9.8 |
2024-01-04 | CVE-2023-50743 | Kashipara | SQL Injection vulnerability in Kashipara Online Notice Board System 1.0 Online Notice Board System v1.0 is vulnerable to multiple Unauthenticated SQL Injection vulnerabilities. | 9.8 |
2024-01-04 | CVE-2023-50752 | Kashipara | SQL Injection vulnerability in Kashipara Online Notice Board System 1.0 Online Notice Board System v1.0 is vulnerable to multiple Unauthenticated SQL Injection vulnerabilities. | 9.8 |
2024-01-04 | CVE-2023-50753 | Kashipara | SQL Injection vulnerability in Kashipara Online Notice Board System 1.0 Online Notice Board System v1.0 is vulnerable to multiple Unauthenticated SQL Injection vulnerabilities. | 9.8 |
2024-01-03 | CVE-2023-49442 | Jeecg | Deserialization of Untrusted Data vulnerability in Jeecg Deserialization of Untrusted Data in jeecgFormDemoController in JEECG 4.0 and earlier allows attackers to run arbitrary code via crafted POST request. | 9.8 |
2024-01-03 | CVE-2023-50090 | Ureport2 Project | Unspecified vulnerability in Ureport2 Project Ureport2 Arbitrary File Write vulnerability in the saveReportFile method of ureport2 2.2.9 and before allows attackers to write arbitrary files and run arbitrary commands via crafted POST request. | 9.8 |
2024-01-03 | CVE-2023-46740 | Linuxfoundation | Use of Insufficiently Random Values vulnerability in Linuxfoundation Cubefs CubeFS is an open-source cloud-native file storage system. | 9.8 |
2024-01-03 | CVE-2023-46741 | Linuxfoundation | Unspecified vulnerability in Linuxfoundation Cubefs CubeFS is an open-source cloud-native file storage system. | 9.8 |
2024-01-03 | CVE-2023-51784 | Apache | Code Injection vulnerability in Apache Inlong Improper Control of Generation of Code ('Code Injection') vulnerability in Apache InLong.This issue affects Apache InLong: from 1.5.0 through 1.9.0, which could lead to Remote Code Execution. Users are advised to upgrade to Apache InLong's 1.10.0 or cherry-pick [1] to solve it. [1] https://github.com/apache/inlong/pull/9329 | 9.8 |
2024-01-03 | CVE-2023-50921 | GL Inet | Unspecified vulnerability in Gl-Inet products An issue was discovered on GL.iNet devices through 4.5.0. | 9.8 |
2024-01-03 | CVE-2023-52304 | Paddlepaddle | Out-of-bounds Write vulnerability in Paddlepaddle 0.8.0/0.9.0/1.0.1 Stack overflow in paddle.searchsorted in PaddlePaddle before 2.6.0. | 9.8 |
2024-01-03 | CVE-2023-52307 | Paddlepaddle | Out-of-bounds Write vulnerability in Paddlepaddle 0.8.0/0.9.0/1.0.1 Stack overflow in paddle.linalg.lu_unpack in PaddlePaddle before 2.6.0. | 9.8 |
2024-01-03 | CVE-2023-52309 | Paddlepaddle | Out-of-bounds Write vulnerability in Paddlepaddle 0.8.0/0.9.0/1.0.1 Heap buffer overflow in paddle.repeat_interleave in PaddlePaddle before 2.6.0. | 9.8 |
2024-01-03 | CVE-2023-52310 | Paddlepaddle | OS Command Injection vulnerability in Paddlepaddle 0.8.0/0.9.0/1.0.1 PaddlePaddle before 2.6.0 has a command injection in get_online_pass_interval. | 9.8 |
2024-01-03 | CVE-2023-52311 | Paddlepaddle | OS Command Injection vulnerability in Paddlepaddle 0.8.0/0.9.0/1.0.1 PaddlePaddle before 2.6.0 has a command injection in _wget_download. | 9.8 |
2024-01-03 | CVE-2023-52314 | Paddlepaddle | OS Command Injection vulnerability in Paddlepaddle 0.8.0/0.9.0/1.0.1 PaddlePaddle before 2.6.0 has a command injection in convert_shape_compare. | 9.8 |
2024-01-03 | CVE-2023-46308 | Plotly | Unspecified vulnerability in Plotly Plotly.Js In Plotly plotly.js before 2.25.2, plot API calls have a risk of __proto__ being polluted in expandObjectPaths or nestedProperty. | 9.8 |
2024-01-03 | CVE-2023-45722 | Hcltech | Path Traversal vulnerability in Hcltech Dryice Myxalytics 5.9/6.0/6.1 HCL DRYiCE MyXalytics is impacted by path traversal arbitrary file read vulnerability because it uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory. | 9.8 |
2024-01-03 | CVE-2023-45723 | Hcltech | Path Traversal vulnerability in Hcltech Dryice Myxalytics 5.9/6.0/6.1 HCL DRYiCE MyXalytics is impacted by path traversal vulnerability which allows file upload capability. | 9.8 |
2024-01-03 | CVE-2023-45724 | Hcltech | Unrestricted Upload of File with Dangerous Type vulnerability in Hcltech Dryice Myxalytics 5.9/6.0/6.1 HCL DRYiCE MyXalytics product is impacted by unauthenticated file upload vulnerability. | 9.8 |
2024-01-02 | CVE-2023-6339 | Missing Encryption of Sensitive Data vulnerability in Google Nest Wifi PRO Firmware Google Nest WiFi Pro root code-execution & user-data compromise | 9.8 | |
2024-01-02 | CVE-2024-21632 | Recognizeapp | Improper Authentication vulnerability in Recognizeapp Omniauth::Microsoftgraph omniauth-microsoft_graph provides an Omniauth strategy for the Microsoft Graph API. | 9.8 |
2024-01-02 | CVE-2023-47458 | Bladex | Missing Authorization vulnerability in Bladex Springblade 3.2.0/3.6.0/3.7.0 An issue in SpringBlade v.3.7.0 and before allows a remote attacker to escalate privileges via the lack of permissions control framework. | 9.8 |
2024-01-02 | CVE-2024-0194 | Codeastro | Unrestricted Upload of File with Dangerous Type vulnerability in Codeastro Internet Banking System 1.0 A vulnerability, which was classified as critical, has been found in CodeAstro Internet Banking System up to 1.0. | 9.8 |
2024-01-02 | CVE-2024-0195 | Ssssssss | Code Injection vulnerability in Ssssssss Spider-Flow 0.4.3 A vulnerability, which was classified as critical, was found in spider-flow 0.4.3. | 9.8 |
2024-01-02 | CVE-2024-21623 | Mehah | Injection vulnerability in Mehah Otclient OTCLient is an alternative tibia client for otserv. | 9.8 |
2024-01-02 | CVE-2023-50711 | Rust VMM | Out-of-bounds Write vulnerability in Rust-Vmm Vmm-Sys-Util vmm-sys-util is a collection of modules that provides helpers and utilities used by multiple rust-vmm components. | 9.8 |
2024-01-02 | CVE-2023-48419 | Unspecified vulnerability in Google products An attacker in the wifi vicinity of a target Google Home can spy on the victim, resulting in Elevation of Privilege | 9.8 | |
2024-01-02 | CVE-2023-4280 | Silabs | Unspecified vulnerability in Silabs Gecko Software Development KIT An unvalidated input in Silicon Labs TrustZone implementation in v4.3.x and earlier of the Gecko SDK allows an attacker to access the trusted region of memory from the untrusted region. | 9.8 |
2024-01-02 | CVE-2023-6436 | Ekolbilisim | SQL Injection vulnerability in Ekolbilisim web Sablonu Yazilimi 20231215 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Ekol Informatics Website Template allows SQL Injection.This issue affects Website Template: through 20231215. | 9.8 |
2024-01-02 | CVE-2023-33025 | Qualcomm | Classic Buffer Overflow vulnerability in Qualcomm products Memory corruption in Data Modem when a non-standard SDP body, during a VOLTE call. | 9.8 |
2024-01-02 | CVE-2023-32874 | Mediatek | Out-of-bounds Write vulnerability in Mediatek products In Modem IMS Stack, there is a possible out of bounds write due to a missing bounds check. | 9.8 |
2024-01-01 | CVE-2024-0182 | Janobe | SQL Injection vulnerability in Janobe Engineers Online Portal 1.0 A vulnerability was found in SourceCodester Engineers Online Portal 1.0 and classified as critical. | 9.8 |
2024-01-01 | CVE-2023-5877 | Servit | Missing Authorization vulnerability in Servit Affiliate-Toolkit The affiliate-toolkit WordPress plugin before 3.4.3 lacks authorization and authentication for requests to it's affiliate-toolkit-starter/tools/atkp_imagereceiver.php endpoint, allowing unauthenticated visitors to make requests to arbitrary URL's, including RFC1918 private addresses, leading to a Server Side Request Forgery (SSRF) issue. | 9.8 |
2024-01-03 | CVE-2023-39655 | Perfood | Injection vulnerability in Perfood Couchauth A host header injection vulnerability exists in the NPM package @perfood/couch-auth versions <= 0.20.0. | 9.6 |
2024-01-03 | CVE-2023-50351 | Hcltech | Unspecified vulnerability in Hcltech Dryice Myxalytics 5.9/6.0/6.1 HCL DRYiCE MyXalytics is impacted by the use of an insecure key rotation mechanism which can allow an attacker to compromise the confidentiality or integrity of data. | 9.1 |
153 High Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2024-01-07 | CVE-2023-7214 | Totolink | Out-of-bounds Write vulnerability in Totolink N350Rt Firmware 9.3.5U.6139B20201216 A vulnerability, which was classified as critical, has been found in Totolink N350RT 9.3.5u.6139_B20201216. | 8.8 |
2024-01-07 | CVE-2023-7213 | Totolink | Out-of-bounds Write vulnerability in Totolink N350Rt Firmware 9.3.5U.6139B20201216 A vulnerability classified as critical was found in Totolink N350RT 9.3.5u.6139_B20201216. | 8.8 |
2024-01-07 | CVE-2024-0265 | Oretnom23 | External Control of File Name or Path vulnerability in Oretnom23 Clinic Queuing System 1.0 A vulnerability was found in SourceCodester Clinic Queuing System 1.0. | 8.8 |
2024-01-05 | CVE-2023-41287 | Qnap | SQL Injection vulnerability in Qnap Video Station 5.7.1 A SQL injection vulnerability has been reported to affect Video Station. | 8.8 |
2024-01-05 | CVE-2023-41288 | Qnap | OS Command Injection vulnerability in Qnap Video Station 5.7.1 An OS command injection vulnerability has been reported to affect Video Station. | 8.8 |
2024-01-05 | CVE-2023-41289 | Qnap | OS Command Injection vulnerability in Qnap Qcalagent 1.1.6/1.1.7 An OS command injection vulnerability has been reported to affect QcalAgent. | 8.8 |
2024-01-05 | CVE-2023-47219 | Qnap | SQL Injection vulnerability in Qnap Qumagie 2.2.0 A SQL injection vulnerability has been reported to affect QuMagie. | 8.8 |
2024-01-05 | CVE-2023-47560 | Qnap | Command Injection vulnerability in Qnap Qumagie 2.2.0 An OS command injection vulnerability has been reported to affect QuMagie. | 8.8 |
2024-01-05 | CVE-2023-51535 | Cleantalk | Cross-Site Request Forgery (CSRF) vulnerability in Cleantalk Spam Protection, Antispam, Firewall Cross-Site Request Forgery (CSRF) vulnerability in ?leanTalk - Anti-Spam Protection Spam protection, Anti-Spam, FireWall by CleanTalk.This issue affects Spam protection, Anti-Spam, FireWall by CleanTalk: from n/a through 6.20. | 8.8 |
2024-01-05 | CVE-2023-51538 | Getawesomesupport | Cross-Site Request Forgery (CSRF) vulnerability in Getawesomesupport Awesome Support Cross-Site Request Forgery (CSRF) vulnerability in Awesome Support Team Awesome Support – WordPress HelpDesk & Support Plugin.This issue affects Awesome Support – WordPress HelpDesk & Support Plugin: from n/a through 6.1.5. | 8.8 |
2024-01-05 | CVE-2023-51539 | Apollo13Themes | Cross-Site Request Forgery (CSRF) vulnerability in Apollo13Themes Apollo13 Framework Extensions Cross-Site Request Forgery (CSRF) vulnerability in Apollo13Themes Apollo13 Framework Extensions.This issue affects Apollo13 Framework Extensions: from n/a through 1.9.1. | 8.8 |
2024-01-05 | CVE-2023-51668 | Wpzone | Cross-Site Request Forgery (CSRF) vulnerability in Wpzone Inline Image Upload for Bbpress Cross-Site Request Forgery (CSRF) vulnerability in WP Zone Inline Image Upload for BBPress.This issue affects Inline Image Upload for BBPress: from n/a through 1.1.18. | 8.8 |
2024-01-05 | CVE-2023-52119 | Icegram | Cross-Site Request Forgery (CSRF) vulnerability in Icegram Engage Cross-Site Request Forgery (CSRF) vulnerability in Icegram Icegram Engage – WordPress Lead Generation, Popup Builder, CTA, Optins and Email List Building.This issue affects Icegram Engage – WordPress Lead Generation, Popup Builder, CTA, Optins and Email List Building: from n/a through 3.1.18. | 8.8 |
2024-01-05 | CVE-2023-52120 | Basixonline | Cross-Site Request Forgery (CSRF) vulnerability in Basixonline Nex-Forms Cross-Site Request Forgery (CSRF) vulnerability in Basix NEX-Forms – Ultimate Form Builder – Contact forms and much more.This issue affects NEX-Forms – Ultimate Form Builder – Contact forms and much more: from n/a through 8.5.2. | 8.8 |
2024-01-05 | CVE-2023-52121 | Nitropack | Cross-Site Request Forgery (CSRF) vulnerability in Nitropack Cross-Site Request Forgery (CSRF) vulnerability in NitroPack Inc. | 8.8 |
2024-01-05 | CVE-2023-52122 | Presstigers | Cross-Site Request Forgery (CSRF) vulnerability in Presstigers Simple JOB Board Cross-Site Request Forgery (CSRF) vulnerability in PressTigers Simple Job Board.This issue affects Simple Job Board: from n/a through 2.10.6. | 8.8 |
2024-01-05 | CVE-2023-52123 | Wpchill | Cross-Site Request Forgery (CSRF) vulnerability in Wpchill Strong Testimonials Cross-Site Request Forgery (CSRF) vulnerability in WPChill Strong Testimonials.This issue affects Strong Testimonials: from n/a through 3.1.10. | 8.8 |
2024-01-05 | CVE-2023-52127 | Wpclever | Cross-Site Request Forgery (CSRF) vulnerability in Wpclever WPC Product Bundles for Woocommerce Cross-Site Request Forgery (CSRF) vulnerability in WPClever WPC Product Bundles for WooCommerce.This issue affects WPC Product Bundles for WooCommerce: from n/a through 7.3.1. | 8.8 |
2024-01-05 | CVE-2023-52128 | Linksoftwarellc | Cross-Site Request Forgery (CSRF) vulnerability in Linksoftwarellc White Label Cross-Site Request Forgery (CSRF) vulnerability in WhiteWP White Label – WordPress Custom Admin, Custom Login Page, and Custom Dashboard.This issue affects White Label – WordPress Custom Admin, Custom Login Page, and Custom Dashboard: from n/a through 2.9.0. | 8.8 |
2024-01-05 | CVE-2023-52129 | Mtrv | Cross-Site Request Forgery (CSRF) vulnerability in Mtrv Teachpress Cross-Site Request Forgery (CSRF) vulnerability in Michael Winkler teachPress.This issue affects teachPress: from n/a through 9.0.4. | 8.8 |
2024-01-05 | CVE-2023-52130 | Wpaffiliatemanager | Cross-Site Request Forgery (CSRF) vulnerability in Wpaffiliatemanager Affiliates Manager Cross-Site Request Forgery (CSRF) vulnerability in wp.Insider, wpaffiliatemgr Affiliates Manager.This issue affects Affiliates Manager: from n/a through 2.9.31. | 8.8 |
2024-01-05 | CVE-2023-52136 | Smashballoon | Cross-Site Request Forgery (CSRF) vulnerability in Smashballoon Custom Twitter Feeds Cross-Site Request Forgery (CSRF) vulnerability in Smash Balloon Custom Twitter Feeds – A Tweets Widget or X Feed Widget.This issue affects Custom Twitter Feeds – A Tweets Widget or X Feed Widget: from n/a through 2.1.2. | 8.8 |
2024-01-05 | CVE-2023-52145 | Mariosalexandrou | Cross-Site Request Forgery (CSRF) vulnerability in Mariosalexandrou Republish OLD Posts Cross-Site Request Forgery (CSRF) vulnerability in Marios Alexandrou Republish Old Posts.This issue affects Republish Old Posts: from n/a through 1.21. | 8.8 |
2024-01-05 | CVE-2023-52149 | WOW Company | Cross-Site Request Forgery (CSRF) vulnerability in Wow-Company Floating Button Cross-Site Request Forgery (CSRF) vulnerability in Wow-Company Floating Button.This issue affects Floating Button: from n/a through 6.0. | 8.8 |
2024-01-05 | CVE-2023-52150 | Ovation | Cross-Site Request Forgery (CSRF) vulnerability in Ovation Dynamic Content for Elementor Cross-Site Request Forgery (CSRF) vulnerability in Ovation S.R.L. | 8.8 |
2024-01-05 | CVE-2023-52184 | Wpjobportal | Cross-Site Request Forgery (CSRF) vulnerability in Wpjobportal WP JOB Portal Cross-Site Request Forgery (CSRF) vulnerability in WP Job Portal WP Job Portal – A Complete Job Board.This issue affects WP Job Portal – A Complete Job Board: from n/a through 2.0.6. | 8.8 |
2024-01-04 | CVE-2023-50760 | Kashipara | Unrestricted Upload of File with Dangerous Type vulnerability in Kashipara Online Notice Board System 1.0 Online Notice Board System v1.0 is vulnerable to an Insecure File Upload vulnerability on the 'f' parameter of user/update_profile_pic.php page, allowing an authenticated attacker to obtain Remote Code Execution on the server hosting the application. | 8.8 |
2024-01-04 | CVE-2024-21625 | Sidequestvr | Improper Input Validation vulnerability in Sidequestvr Sidequest SideQuest is a place to get virtual reality applications for Oculus Quest. | 8.8 |
2024-01-04 | CVE-2024-0222 | Google Fedoraproject | Use After Free vulnerability in multiple products Use after free in ANGLE in Google Chrome prior to 120.0.6099.199 allowed a remote attacker who had compromised the renderer process to potentially exploit heap corruption via a crafted HTML page. | 8.8 |
2024-01-04 | CVE-2024-0223 | Google Fedoraproject | Out-of-bounds Write vulnerability in multiple products Heap buffer overflow in ANGLE in Google Chrome prior to 120.0.6099.199 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | 8.8 |
2024-01-04 | CVE-2024-0224 | Google Fedoraproject | Use After Free vulnerability in multiple products Use after free in WebAudio in Google Chrome prior to 120.0.6099.199 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | 8.8 |
2024-01-04 | CVE-2024-0225 | Google Fedoraproject | Use After Free vulnerability in multiple products Use after free in WebGPU in Google Chrome prior to 120.0.6099.199 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | 8.8 |
2024-01-03 | CVE-2023-5880 | Geniecompany | Cross-site Scripting vulnerability in Geniecompany Aladdin Connect Garage Door Opener Firmware When the Genie Company Aladdin Connect garage door opener (Retrofit-Kit Model ALDCM) is placed into configuration mode the web servers “Garage Door Control Module Setup” page is vulnerable to XSS via a broadcast SSID name containing malicious code with client side Java Script and/or HTML. | 8.8 |
2024-01-03 | CVE-2024-21622 | Craftcms | Unspecified vulnerability in Craftcms Craft CMS Craft is a content management system. | 8.8 |
2024-01-02 | CVE-2024-0196 | Ssssssss | Code Injection vulnerability in Ssssssss Magic-Api A vulnerability has been found in Magic-Api up to 2.0.1 and classified as critical. | 8.8 |
2024-01-02 | CVE-2024-0185 | NIA | Unrestricted Upload of File with Dangerous Type vulnerability in NIA RRJ Nueva Ecija Engineer Online Portal 1.0 A vulnerability was found in RRJ Nueva Ecija Engineer Online Portal 1.0. | 8.8 |
2024-01-01 | CVE-2023-50094 | Yogeshojha | OS Command Injection vulnerability in Yogeshojha Rengine reNgine before 2.1.2 allows OS Command Injection if an adversary has a valid session ID. | 8.8 |
2024-01-03 | CVE-2023-5881 | Geniecompany | Missing Authentication for Critical Function vulnerability in Geniecompany Aladdin Connect Garage Door Opener Firmware Unauthenticated access permitted to web interface page The Genie Company Aladdin Connect (Retrofit-Kit Model ALDCM) "Garage Door Control Module Setup" and modify the Garage door's SSID settings. | 8.2 |
2024-01-03 | CVE-2023-45559 | Linecorp | Unspecified vulnerability in Linecorp Line 13.6.1 An issue in Tamaki_hamanoki Line v.13.6.1 allows attackers to send crafted notifications via leakage of the channel access token. | 8.2 |
2024-01-07 | CVE-2023-7211 | Uniwayinfo | Improper Authentication vulnerability in Uniwayinfo products A vulnerability was found in Uniway Router 2.0. | 8.1 |
2024-01-02 | CVE-2024-0188 | NIA | Weak Password Requirements vulnerability in NIA RRJ Nueva Ecija Engineer Online Portal 1.0 A vulnerability, which was classified as problematic, was found in RRJ Nueva Ecija Engineer Online Portal 1.0. | 8.1 |
2024-01-02 | CVE-2024-0186 | Huiran Host Reseller System Project | Weak Password Recovery Mechanism for Forgotten Password vulnerability in Huiran Host Reseller System Project Huiran Host Reseller System A vulnerability classified as problematic has been found in HuiRan Host Reseller System up to 2.0.0. | 8.1 |
2024-01-07 | CVE-2023-47145 | IBM | Unspecified vulnerability in IBM DB2 IBM Db2 for Windows (includes Db2 Connect Server) 10.5, 11.1, and 11.5 could allow a local user to escalate their privileges to the SYSTEM user using the MSI repair functionality. | 7.8 |
2024-01-06 | CVE-2023-50612 | Fit2Cloud | Incorrect Default Permissions vulnerability in Fit2Cloud Cloudexplorer Lite 1.4.1 Insecure Permissions vulnerability in fit2cloud Cloud Explorer Lite version 1.4.1, allow local attackers to escalate privileges and obtain sensitive information via the cloud accounts parameter. | 7.8 |
2024-01-05 | CVE-2023-34322 | XEN | Improper Check for Dropped Privileges vulnerability in XEN For migration as well as to work around kernels unaware of L1TF (see XSA-273), PV guests may be run in shadow paging mode. | 7.8 |
2024-01-05 | CVE-2023-34325 | XEN | Out-of-bounds Write vulnerability in XEN [This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] libfsimage contains parsing code for several filesystems, most of them based on grub-legacy code. | 7.8 |
2024-01-05 | CVE-2023-34326 | XEN | Unspecified vulnerability in XEN The caching invalidation guidelines from the AMD-Vi specification (48882—Rev 3.07-PUB—Oct 2022) is incorrect on some hardware, as devices will malfunction (see stale DMA mappings) if some fields of the DTE are updated but the IOMMU TLB is not flushed. Such stale DMA mappings can point to memory ranges not owned by the guest, thus allowing access to unindented memory regions. | 7.8 |
2024-01-04 | CVE-2021-40367 | Siemens Healthineers | Out-of-bounds Write vulnerability in Siemens-Healthineers Syngo Fastview A vulnerability has been identified in syngo fastView (All versions). | 7.8 |
2024-01-04 | CVE-2021-42028 | Siemens Healthineers | Out-of-bounds Write vulnerability in Siemens-Healthineers Syngo Fastview A vulnerability has been identified in syngo fastView (All versions). | 7.8 |
2024-01-04 | CVE-2021-45465 | Siemens Healthineers | Write-what-where Condition vulnerability in Siemens-Healthineers Syngo Fastview A vulnerability has been identified in syngo fastView (All versions). | 7.8 |
2024-01-03 | CVE-2023-6338 | Lenovo | Uncontrolled Search Path Element vulnerability in Lenovo Universal Device Client Uncontrolled search path vulnerabilities were reported in the Lenovo Universal Device Client (UDC) that could allow an attacker with local access to execute code with elevated privileges. | 7.8 |
2024-01-03 | CVE-2024-21633 | Apktool | Path Traversal vulnerability in Apktool Apktool is a tool for reverse engineering Android APK files. | 7.8 |
2024-01-03 | CVE-2023-41776 | ZTE | Improper Privilege Management vulnerability in ZTE Zxcloud Irai Firmware There is a local privilege escalation vulnerability of ZTE's ZXCLOUD iRAI.Attackers with regular user privileges can create a fake process, and to escalate local privileges. | 7.8 |
2024-01-03 | CVE-2023-41780 | ZTE | Uncontrolled Search Path Element vulnerability in ZTE Zxcloud Irai Firmware There is an unsafe DLL loading vulnerability in ZTE ZXCLOUD iRAI. | 7.8 |
2024-01-03 | CVE-2023-41783 | ZTE | Code Injection vulnerability in ZTE Zxcloud Irai Firmware There is a command injection vulnerability of ZTE's ZXCLOUD iRAI. | 7.8 |
2024-01-02 | CVE-2023-48418 | Unspecified vulnerability in Google Pixel Watch Firmware In checkDebuggingDisallowed of DeviceVersionFragment.java, there is a possible way to access adb before SUW completion due to an insecure default value. | 7.8 | |
2024-01-02 | CVE-2023-49794 | Kernelsu | Authentication Bypass by Spoofing vulnerability in Kernelsu KernelSU is a Kernel-based root solution for Android devices. | 7.8 |
2024-01-02 | CVE-2023-28583 | Qualcomm | Double Free vulnerability in Qualcomm products Memory corruption when IPv6 prefix timer object`s lifetime expires which are created while Netmgr daemon gets an IPv6 address. | 7.8 |
2024-01-02 | CVE-2023-33030 | Qualcomm | Out-of-bounds Write vulnerability in Qualcomm products Memory corruption in HLOS while running playready use-case. | 7.8 |
2024-01-02 | CVE-2023-33032 | Qualcomm | Out-of-bounds Write vulnerability in Qualcomm products Memory corruption in TZ Secure OS while requesting a memory allocation from TA region. | 7.8 |
2024-01-02 | CVE-2023-33033 | Qualcomm | Out-of-bounds Write vulnerability in Qualcomm products Memory corruption in Audio during playback with speaker protection. | 7.8 |
2024-01-02 | CVE-2023-33038 | Qualcomm | Out-of-bounds Write vulnerability in Qualcomm products Memory corruption while receiving a message in Bus Socket Transport Server. | 7.8 |
2024-01-02 | CVE-2023-33085 | Qualcomm | Classic Buffer Overflow vulnerability in Qualcomm products Memory corruption in wearables while processing data from AON. | 7.8 |
2024-01-02 | CVE-2023-33094 | Qualcomm | Use After Free vulnerability in Qualcomm products Memory corruption while running VK synchronization with KASAN enabled. | 7.8 |
2024-01-02 | CVE-2023-33108 | Qualcomm | Use After Free vulnerability in Qualcomm products Memory corruption in Graphics Driver when destroying a context with KGSL_GPU_AUX_COMMAND_TIMELINE objects queued. | 7.8 |
2024-01-02 | CVE-2023-33113 | Qualcomm | Out-of-bounds Write vulnerability in Qualcomm products Memory corruption when resource manager sends the host kernel a reply message with multiple fragments. | 7.8 |
2024-01-02 | CVE-2023-33114 | Qualcomm | Use After Free vulnerability in Qualcomm products Memory corruption while running NPU, when NETWORK_UNLOAD and (NETWORK_UNLOAD or NETWORK_EXECUTE_V2) commands are submitted at the same time. | 7.8 |
2024-01-02 | CVE-2023-33117 | Qualcomm | Use After Free vulnerability in Qualcomm products Memory corruption when HLOS allocates the response payload buffer to copy the data received from ADSP in response to AVCS_LOAD_MODULE command. | 7.8 |
2024-01-02 | CVE-2023-33118 | Qualcomm | Use After Free vulnerability in Qualcomm products Memory corruption while processing Listen Sound Model client payload buffer when there is a request for Listen Sound session get parameter from ST HAL. | 7.8 |
2024-01-02 | CVE-2023-33120 | Qualcomm | Use After Free vulnerability in Qualcomm products Memory corruption in Audio when memory map command is executed consecutively in ADSP. | 7.8 |
2024-01-02 | CVE-2023-43514 | Qualcomm | Use After Free vulnerability in Qualcomm products Memory corruption while invoking IOCTLs calls from user space for internal mem MAP and internal mem UNMAP. | 7.8 |
2024-01-02 | CVE-2023-47039 | Perl | Out-of-bounds Write vulnerability in Perl A vulnerability was found in Perl. | 7.8 |
2024-01-03 | CVE-2023-42358 | O RAN SC | Missing Authorization vulnerability in O-Ran-Sc Ric-Plt-E2Mgr An issue was discovered in O-RAN Software Community ric-plt-e2mgr in the G-Release environment, allows remote attackers to cause a denial of service (DoS) via a crafted request to the E2Manager API component. | 7.7 |
2024-01-07 | CVE-2023-7209 | Uniwayinfo | Improper Resource Shutdown or Release vulnerability in Uniwayinfo products A vulnerability was found in Uniway Router up to 2.0. | 7.5 |
2024-01-07 | CVE-2024-0263 | Acme | Improper Resource Shutdown or Release vulnerability in Acme Ultra Mini Httpd 1.21 A vulnerability was found in ACME Ultra Mini HTTPd 1.21. | 7.5 |
2024-01-07 | CVE-2024-0261 | Ftpdmin Project | Improper Resource Shutdown or Release vulnerability in Ftpdmin Project Ftpdmin 0.96 A vulnerability has been found in Sentex FTPDMIN 0.96 and classified as problematic. | 7.5 |
2024-01-07 | CVE-2024-0260 | Engineers Online Portal Project | Insufficient Session Expiration vulnerability in Engineers Online Portal Project Engineers Online Portal 1.0 A vulnerability, which was classified as problematic, was found in SourceCodester Engineers Online Portal 1.0. | 7.5 |
2024-01-05 | CVE-2024-21642 | MAN | Server-Side Request Forgery (SSRF) vulnerability in MAN D-Tale D-Tale is a visualizer for Pandas data structures. | 7.5 |
2024-01-05 | CVE-2023-39296 | Qnap | Unspecified vulnerability in Qnap QTS and Quts Hero A prototype pollution vulnerability has been reported to affect several QNAP operating system versions. | 7.5 |
2024-01-05 | CVE-2023-52143 | Noorsplugin | Information Exposure Through Log Files vulnerability in Noorsplugin WP Stripe Checkout Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Naa986 WP Stripe Checkout.This issue affects WP Stripe Checkout: from n/a through 1.2.2.37. | 7.5 |
2024-01-05 | CVE-2023-50991 | Tenda | Classic Buffer Overflow vulnerability in Tenda I29 Firmware 1.0.0.2/1.0.0.5 Buffer Overflow vulnerability in Tenda i29 versions 1.0 V1.0.0.5 and 1.0 V1.0.0.2, allows remote attackers to cause a denial of service (DoS) via the pingIp parameter in the pingSet function. | 7.5 |
2024-01-04 | CVE-2024-0241 | Diaconou | Allocation of Resources Without Limits or Throttling vulnerability in Diaconou Encodedid::Rails encoded_id-rails versions before 1.0.0.beta2 are affected by an uncontrolled resource consumption vulnerability. | 7.5 |
2024-01-04 | CVE-2024-22050 | Boazsegev | Path Traversal vulnerability in Boazsegev Iodine Path traversal in the static file service in Iodine less than 0.7.33 allows an unauthenticated, remote attacker to read files outside the public folder via malicious URLs. | 7.5 |
2024-01-04 | CVE-2022-2081 | Hitachienergy | Out-of-bounds Write vulnerability in Hitachienergy products A vulnerability exists in the HCI Modbus TCP function included in the product versions listed above. | 7.5 |
2024-01-04 | CVE-2023-50082 | Pbootcms | Unspecified vulnerability in Pbootcms 3.1.2 Aoyun Technology pbootcms V3.1.2 is vulnerable to Incorrect Access Control, allows remote attackers to gain sensitive information via session leakage allows a user to avoid logging into the backend management platform. | 7.5 |
2024-01-03 | CVE-2023-50256 | Froxlor | Unspecified vulnerability in Froxlor Froxlor is open source server administration software. | 7.5 |
2024-01-03 | CVE-2024-21634 | Amazon | Allocation of Resources Without Limits or Throttling vulnerability in Amazon ION Amazon Ion is a Java implementation of the Ion data notation. | 7.5 |
2024-01-03 | CVE-2023-6540 | Lenovo | Unspecified vulnerability in Lenovo Browser HD and Browser Mobile A vulnerability was reported in the Lenovo Browser Mobile and Lenovo Browser HD Apps for Android that could allow an attacker to craft a payload that could result in the disclosure of sensitive information. | 7.5 |
2024-01-03 | CVE-2023-46929 | Gpac | Unspecified vulnerability in Gpac 2.3Devrev605Gfc9E29089Master An issue discovered in GPAC 2.3-DEV-rev605-gfc9e29089-master in MP4Box in gf_avc_change_vui /afltest/gpac/src/media_tools/av_parsers.c:6872:55 allows attackers to crash the application. | 7.5 |
2024-01-03 | CVE-2024-21907 | Newtonsoft | Improper Handling of Exceptional Conditions vulnerability in Newtonsoft Json.Net Newtonsoft.Json before version 13.0.1 is affected by a mishandling of exceptional conditions vulnerability. | 7.5 |
2024-01-03 | CVE-2024-21909 | Peteroupc | Algorithmic Complexity vulnerability in Peteroupc Cbor PeterO.Cbor versions 4.0.0 through 4.5.0 are vulnerable to a denial of service vulnerability. | 7.5 |
2024-01-03 | CVE-2023-37607 | Automaticsystems | Path Traversal vulnerability in Automaticsystems SOC Fl9600 Firstlane Firmware 06 Directory Traversal in Automatic-Systems SOC FL9600 FastLine lego_T04E00 allows a remote attacker to obtain sensitive information. | 7.5 |
2024-01-03 | CVE-2023-37608 | Automaticsystems | Use of Hard-coded Credentials vulnerability in Automaticsystems SOC Fl9600 Firstlane Firmware 06 An issue in Automatic Systems SOC FL9600 FastLine v.lego_T04E00 allows a remote attacker to obtain sensitive information via the admin login credentials. | 7.5 |
2024-01-03 | CVE-2023-51785 | Apache | Deserialization of Untrusted Data vulnerability in Apache Inlong 1.7.0/1.8.0/1.9.0 Deserialization of Untrusted Data vulnerability in Apache InLong.This issue affects Apache InLong: from 1.7.0 through 1.9.0, the attackers can make a arbitrary file read attack using mysql driver. Users are advised to upgrade to Apache InLong's 1.10.0 or cherry-pick [1] to solve it. [1] https://github.com/apache/inlong/pull/9331 | 7.5 |
2024-01-03 | CVE-2023-38674 | Paddlepaddle | Divide By Zero vulnerability in Paddlepaddle 0.8.0/0.9.0/1.0.1 FPE in paddle.nanmedian in PaddlePaddle before 2.6.0. | 7.5 |
2024-01-03 | CVE-2023-38675 | Paddlepaddle | Divide By Zero vulnerability in Paddlepaddle 0.8.0/0.9.0/1.0.1 FPE in paddle.linalg.matrix_rank in PaddlePaddle before 2.6.0. | 7.5 |
2024-01-03 | CVE-2023-38676 | Paddlepaddle | NULL Pointer Dereference vulnerability in Paddlepaddle 0.8.0/0.9.0/1.0.1 Nullptr in paddle.dot in PaddlePaddle before 2.6.0. | 7.5 |
2024-01-03 | CVE-2023-38677 | Paddlepaddle | Divide By Zero vulnerability in Paddlepaddle 0.8.0/0.9.0/1.0.1 FPE in paddle.linalg.eig in PaddlePaddle before 2.6.0. | 7.5 |
2024-01-03 | CVE-2023-38678 | Paddlepaddle | Out-of-bounds Read vulnerability in Paddlepaddle 0.8.0/0.9.0/1.0.1 OOB access in paddle.mode in PaddlePaddle before 2.6.0. | 7.5 |
2024-01-03 | CVE-2023-52302 | Paddlepaddle | NULL Pointer Dereference vulnerability in Paddlepaddle 0.8.0/0.9.0/1.0.1 Nullptr in paddle.nextafter in PaddlePaddle before 2.6.0. | 7.5 |
2024-01-03 | CVE-2023-52303 | Paddlepaddle | NULL Pointer Dereference vulnerability in Paddlepaddle 0.8.0/0.9.0/1.0.1 Nullptr in paddle.put_along_axis in PaddlePaddle before 2.6.0. | 7.5 |
2024-01-03 | CVE-2023-52305 | Paddlepaddle | Divide By Zero vulnerability in Paddlepaddle 0.8.0/0.9.0/1.0.1 FPE in paddle.topk in PaddlePaddle before 2.6.0. | 7.5 |
2024-01-03 | CVE-2023-52306 | Paddlepaddle | Divide By Zero vulnerability in Paddlepaddle 0.8.0/0.9.0/1.0.1 FPE in paddle.lerp in PaddlePaddle before 2.6.0. | 7.5 |
2024-01-03 | CVE-2023-52308 | Paddlepaddle | Divide By Zero vulnerability in Paddlepaddle 0.8.0/0.9.0/1.0.1 FPE in paddle.amin in PaddlePaddle before 2.6.0. | 7.5 |
2024-01-03 | CVE-2023-52312 | Paddlepaddle | NULL Pointer Dereference vulnerability in Paddlepaddle 0.8.0/0.9.0/1.0.1 Nullptr dereference in paddle.crop in PaddlePaddle before 2.6.0. | 7.5 |
2024-01-03 | CVE-2023-52313 | Paddlepaddle | Divide By Zero vulnerability in Paddlepaddle 0.8.0/0.9.0/1.0.1 FPE in paddle.argmin and paddle.argmax in PaddlePaddle before 2.6.0. | 7.5 |
2024-01-03 | CVE-2024-0207 | Wireshark | Out-of-bounds Read vulnerability in Wireshark 4.2.0 HTTP3 dissector crash in Wireshark 4.2.0 allows denial of service via packet injection or crafted capture file | 7.5 |
2024-01-03 | CVE-2024-0208 | Wireshark | Unspecified vulnerability in Wireshark GVCP dissector crash in Wireshark 4.2.0, 4.0.0 to 4.0.11, and 3.6.0 to 3.6.19 allows denial of service via packet injection or crafted capture file | 7.5 |
2024-01-03 | CVE-2024-0209 | Wireshark | NULL Pointer Dereference vulnerability in Wireshark IEEE 1609.2 dissector crash in Wireshark 4.2.0, 4.0.0 to 4.0.11, and 3.6.0 to 3.6.19 allows denial of service via packet injection or crafted capture file | 7.5 |
2024-01-03 | CVE-2024-0210 | Wireshark | Uncontrolled Recursion vulnerability in Wireshark 4.2.0 Zigbee TLV dissector crash in Wireshark 4.2.0 allows denial of service via packet injection or crafted capture file | 7.5 |
2024-01-03 | CVE-2024-0211 | Wireshark | Infinite Loop vulnerability in Wireshark 4.2.0 DOCSIS dissector crash in Wireshark 4.2.0 allows denial of service via packet injection or crafted capture file | 7.5 |
2024-01-03 | CVE-2023-47473 | Fuwushe | Path Traversal vulnerability in Fuwushe Ifair 23.8Ad0 Directory Traversal vulnerability in fuwushe.org iFair versions 23.8_ad0 and before allows an attacker to obtain sensitive information via a crafted script. | 7.5 |
2024-01-03 | CVE-2023-50341 | Hcltech | Unspecified vulnerability in Hcltech Dryice Myxalytics 5.9/6.0/6.1 HCL DRYiCE MyXalytics is impacted by Improper Access Control (Obsolete web pages) vulnerability. | 7.5 |
2024-01-03 | CVE-2023-50350 | Hcltech | Use of a Broken or Risky Cryptographic Algorithm vulnerability in Hcltech Dryice Myxalytics 5.9/6.0/6.1 HCL DRYiCE MyXalytics is impacted by the use of a broken cryptographic algorithm for encryption, potentially giving an attacker ability to decrypt sensitive information. | 7.5 |
2024-01-02 | CVE-2023-49549 | Cesanta | Unspecified vulnerability in Cesanta MJS 2.20.0 An issue in Cesanta mjs 2.20.0 allows a remote attacker to cause a denial of service via the mjs_getretvalpos function in the msj.c file. | 7.5 |
2024-01-02 | CVE-2023-49550 | Cesanta | Unspecified vulnerability in Cesanta MJS 2.20.0 An issue in Cesanta mjs 2.20.0 allows a remote attacker to cause a denial of service via the mjs+0x4ec508 component. | 7.5 |
2024-01-02 | CVE-2023-49551 | Cesanta | Unspecified vulnerability in Cesanta MJS 2.20.0 An issue in Cesanta mjs 2.20.0 allows a remote attacker to cause a denial of service via the mjs_op_json_parse function in the msj.c file. | 7.5 |
2024-01-02 | CVE-2023-49552 | Cesanta | Out-of-bounds Read vulnerability in Cesanta MJS 2.20.0 An Out of Bounds Write in Cesanta mjs 2.20.0 allows a remote attacker to cause a denial of service via the mjs_op_json_stringify function in the msj.c file. | 7.5 |
2024-01-02 | CVE-2023-49553 | Cesanta | Unspecified vulnerability in Cesanta MJS 2.20.0 An issue in Cesanta mjs 2.20.0 allows a remote attacker to cause a denial of service via the mjs_destroy function in the msj.c file. | 7.5 |
2024-01-02 | CVE-2023-50020 | Open5Gs | Resource Exhaustion vulnerability in Open5Gs 2.6.6 An issue was discovered in open5gs v2.6.6. | 7.5 |
2024-01-02 | CVE-2024-21629 | EVM Project | Unspecified vulnerability in EVM Project EVM Rust EVM is an Ethereum Virtual Machine interpreter. | 7.5 |
2024-01-02 | CVE-2023-45892 | Floorsightsoftware | Authorization Bypass Through User-Controlled Key vulnerability in Floorsightsoftware Insight Q32023 An issue discovered in the Order and Invoice pages in Floorsight Insights Q3 2023 allows an unauthenticated remote attacker to view sensitive customer information. | 7.5 |
2024-01-02 | CVE-2023-45893 | Floorsightsoftware | Authorization Bypass Through User-Controlled Key vulnerability in Floorsightsoftware Customer Portal Q32023 An indirect Object Reference (IDOR) in the Order and Invoice pages in Floorsight Customer Portal Q3 2023 allows an unauthenticated remote attacker to view sensitive customer information. | 7.5 |
2024-01-02 | CVE-2022-3010 | Priva | Use of Password Hash With Insufficient Computational Effort vulnerability in Priva TOP Control Suite 8.7.8.0 The Priva TopControl Suite contains predictable credentials for the SSH service, based on the Serial number. | 7.5 |
2024-01-02 | CVE-2023-33040 | Qualcomm | Unspecified vulnerability in Qualcomm products Transient DOS in Data Modem during DTLS handshake. | 7.5 |
2024-01-02 | CVE-2023-33062 | Qualcomm | Unspecified vulnerability in Qualcomm products Transient DOS in WLAN Firmware while parsing a BTM request. | 7.5 |
2024-01-02 | CVE-2023-33109 | Qualcomm | NULL Pointer Dereference vulnerability in Qualcomm products Transient DOS while processing a WMI P2P listen start command (0xD00A) sent from host. | 7.5 |
2024-01-02 | CVE-2023-33112 | Qualcomm | Unspecified vulnerability in Qualcomm products Transient DOS when WLAN firmware receives "reassoc response" frame including RIC_DATA element. | 7.5 |
2024-01-02 | CVE-2023-33116 | Qualcomm | Out-of-bounds Read vulnerability in Qualcomm products Transient DOS while parsing ieee80211_parse_mscs_ie in WIN WLAN driver. | 7.5 |
2024-01-02 | CVE-2023-43511 | Qualcomm | Infinite Loop vulnerability in Qualcomm products Transient DOS while parsing IPv6 extension header when WLAN firmware receives an IPv6 packet that contains `IPPROTO_NONE` as the next header. | 7.5 |
2024-01-02 | CVE-2023-43512 | Qualcomm | Out-of-bounds Read vulnerability in Qualcomm Qcn7606 Firmware Transient DOS while parsing GATT service data when the total amount of memory that is required by the multiple services is greater than the actual size of the services buffer. | 7.5 |
2024-01-02 | CVE-2023-26157 | GNU | Out-of-bounds Read vulnerability in GNU Libredwg Versions of the package libredwg before 0.12.5.6384 are vulnerable to Denial of Service (DoS) due to an out-of-bounds read involving section->num_pages in decode_r2007.c. | 7.5 |
2024-01-02 | CVE-2023-32886 | Mediatek | Out-of-bounds Write vulnerability in Mediatek Nr15, Nr16 and Nr17 In Modem IMS SMS UA, there is a possible out of bounds write due to a missing bounds check. | 7.5 |
2024-01-02 | CVE-2023-32887 | Mediatek | Out-of-bounds Write vulnerability in Mediatek Nr15, Nr16 and Nr17 In Modem IMS Stack, there is a possible system crash due to a missing bounds check. | 7.5 |
2024-01-02 | CVE-2023-32888 | Mediatek | Out-of-bounds Write vulnerability in Mediatek Nr15, Nr16 and Nr17 In Modem IMS Call UA, there is a possible out of bounds write due to a missing bounds check. | 7.5 |
2024-01-02 | CVE-2023-32889 | Out-of-bounds Write vulnerability in Google Android 11.0/12.0/13.0 In Modem IMS Call UA, there is a possible out of bounds write due to a missing bounds check. | 7.5 | |
2024-01-02 | CVE-2023-32890 | Mediatek | Improper Input Validation vulnerability in Mediatek products In modem EMM, there is a possible system crash due to improper input validation. | 7.5 |
2024-01-01 | CVE-2023-50096 | ST | Classic Buffer Overflow vulnerability in ST X-Cube-Safea1 1.2.0 STMicroelectronics STSAFE-A1xx middleware before 3.3.7 allows MCU code execution if an adversary has the ability to read from and write to the I2C bus. | 7.5 |
2024-01-01 | CVE-2023-6064 | Payhere | Information Exposure Through Log Files vulnerability in Payhere Payment Gateway The PayHere Payment Gateway WordPress plugin before 2.2.12 automatically creates publicly-accessible log files containing sensitive information when transactions occur. | 7.5 |
2024-01-01 | CVE-2023-6113 | WP Staging | Unspecified vulnerability in Wp-Staging WP Staging The WP STAGING WordPress Backup Plugin before 3.1.3 and WP STAGING Pro WordPress Backup Plugin before 5.1.3 do not prevent visitors from leaking key information about ongoing backups processes, allowing unauthenticated attackers to download said backups later. | 7.5 |
2024-01-01 | CVE-2023-6271 | Backupbliss | Unspecified vulnerability in Backupbliss Backup Migration 1.3.4 The Backup Migration WordPress plugin before 1.3.6 stores in-progress backups information in easy to find, publicly-accessible files, which may allow attackers monitoring those to leak sensitive information from the site's backups. | 7.5 |
2024-01-01 | CVE-2023-6421 | Wpdownloadmanager | Insufficiently Protected Credentials vulnerability in Wpdownloadmanager Wordpress Download Manager The Download Manager WordPress plugin before 3.2.83 does not protect file download's passwords, leaking it upon receiving an invalid one. | 7.5 |
2024-01-06 | CVE-2023-51441 | Apache | Server-Side Request Forgery (SSRF) vulnerability in Apache Axis ** UNSUPPORTED WHEN ASSIGNED ** Improper Input Validation vulnerability in Apache Axis allowed users with access to the admin service to perform possible SSRF This issue affects Apache Axis: through 1.3. As Axis 1 has been EOL we recommend you migrate to a different SOAP engine, such as Apache Axis 2/Java. | 7.2 |
2024-01-05 | CVE-2023-39294 | Qnap | OS Command Injection vulnerability in Qnap QTS and Quts Hero An OS command injection vulnerability has been reported to affect several QNAP operating system versions. | 7.2 |
2024-01-05 | CVE-2023-45039 | Qnap | Classic Buffer Overflow vulnerability in Qnap QTS and Quts Hero A buffer copy without checking size of input vulnerability has been reported to affect several QNAP operating system versions. | 7.2 |
2024-01-05 | CVE-2023-45040 | Qnap | Classic Buffer Overflow vulnerability in Qnap QTS and Quts Hero A buffer copy without checking size of input vulnerability has been reported to affect several QNAP operating system versions. | 7.2 |
2024-01-05 | CVE-2023-45041 | Qnap | Classic Buffer Overflow vulnerability in Qnap QTS and Quts Hero A buffer copy without checking size of input vulnerability has been reported to affect several QNAP operating system versions. | 7.2 |
2024-01-05 | CVE-2023-45042 | Qnap | Classic Buffer Overflow vulnerability in Qnap QTS and Quts Hero A buffer copy without checking size of input vulnerability has been reported to affect several QNAP operating system versions. | 7.2 |
2024-01-05 | CVE-2023-45043 | Qnap | Classic Buffer Overflow vulnerability in Qnap QTS and Quts Hero A buffer copy without checking size of input vulnerability has been reported to affect several QNAP operating system versions. | 7.2 |
2024-01-05 | CVE-2023-45044 | Qnap | Classic Buffer Overflow vulnerability in Qnap QTS and Quts Hero A buffer copy without checking size of input vulnerability has been reported to affect several QNAP operating system versions. | 7.2 |
2024-01-03 | CVE-2023-50922 | GL Inet | Unrestricted Upload of File with Dangerous Type vulnerability in Gl-Inet products An issue was discovered on GL.iNet devices through 4.5.0. | 7.2 |
2024-01-04 | CVE-2023-6270 | Linux Fedoraproject | Use After Free vulnerability in multiple products A flaw was found in the ATA over Ethernet (AoE) driver in the Linux kernel. | 7.0 |
2024-01-02 | CVE-2023-33110 | Qualcomm | Race Condition vulnerability in Qualcomm products The session index variable in PCM host voice audio driver initialized before PCM open, accessed during event callback from ADSP and reset during PCM close may lead to race condition between event callback - PCM close and reset session index causing memory corruption. | 7.0 |
153 Medium Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2024-01-04 | CVE-2023-3726 | Ocsinventory NG | Cross-site Scripting vulnerability in Ocsinventory-Ng Ocsinventory-Ocsreports 2.12.0 OCSInventory allow stored email template with special characters that lead to a Stored cross-site Scripting. | 6.9 |
2024-01-03 | CVE-2023-5138 | Silabs | Missing Initialization of Resource vulnerability in Silabs Gecko Software Development KIT Glitch detection is not enabled by default for the CortexM33 core in Silicon Labs secure vault high parts EFx32xG2xB, except EFR32xG21B. | 6.8 |
2024-01-03 | CVE-2023-5879 | Geniecompany | Insecure Storage of Sensitive Information vulnerability in Geniecompany Aladdin Connect 5.65 Users’ product account authentication data was stored in clear text in The Genie Company Aladdin Connect Mobile Application Version 5.65 Build 2075 (and below) on Android Devices. | 6.8 |
2024-01-02 | CVE-2023-33014 | Qualcomm | Improper Input Validation vulnerability in Qualcomm products Information disclosure in Core services while processing a Diag command. | 6.8 |
2024-01-02 | CVE-2024-0193 | Linux Redhat | Use After Free vulnerability in multiple products A use-after-free flaw was found in the netfilter subsystem of the Linux kernel. | 6.7 |
2024-01-02 | CVE-2023-32872 | Out-of-bounds Write vulnerability in Google Android 11.0/12.0/13.0 In keyInstall, there is a possible out of bounds write due to a missing bounds check. | 6.7 | |
2024-01-02 | CVE-2023-32877 | Out-of-bounds Write vulnerability in Google Android 12.0/13.0 In battery, there is a possible out of bounds write due to a missing bounds check. | 6.7 | |
2024-01-02 | CVE-2023-32879 | Out-of-bounds Write vulnerability in Google Android 12.0/13.0 In battery, there is a possible out of bounds write due to a missing bounds check. | 6.7 | |
2024-01-02 | CVE-2023-32882 | Out-of-bounds Write vulnerability in Google Android 12.0/13.0 In battery, there is a possible memory corruption due to a missing bounds check. | 6.7 | |
2024-01-02 | CVE-2023-32883 | Out-of-bounds Write vulnerability in Google Android 12.0/13.0 In Engineer Mode, there is a possible out of bounds write due to a missing bounds check. | 6.7 | |
2024-01-02 | CVE-2023-32884 | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Google Android 12.0/13.0 In netdagent, there is a possible information disclosure due to an incorrect bounds check. | 6.7 | |
2024-01-02 | CVE-2023-32885 | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Google Android 12.0/13.0 In display drm, there is a possible memory corruption due to a missing bounds check. | 6.7 | |
2024-01-02 | CVE-2023-32891 | Google Mediatek | Out-of-bounds Write vulnerability in multiple products In bluetooth service, there is a possible out of bounds write due to improper input validation. | 6.7 |
2024-01-07 | CVE-2024-0280 | Kashipara | SQL Injection vulnerability in Kashipara Food Management System 1.0 A vulnerability has been found in Kashipara Food Management System up to 1.0 and classified as critical. | 6.5 |
2024-01-07 | CVE-2024-0281 | Kashipara | SQL Injection vulnerability in Kashipara Food Management System 1.0 A vulnerability was found in Kashipara Food Management System up to 1.0 and classified as critical. | 6.5 |
2024-01-07 | CVE-2024-0278 | Kashipara | SQL Injection vulnerability in Kashipara Food Management System 1.0 A vulnerability, which was classified as critical, has been found in Kashipara Food Management System up to 1.0. | 6.5 |
2024-01-07 | CVE-2024-0279 | Kashipara | SQL Injection vulnerability in Kashipara Food Management System 1.0 A vulnerability, which was classified as critical, was found in Kashipara Food Management System up to 1.0. | 6.5 |
2024-01-07 | CVE-2024-0276 | Kashipara | SQL Injection vulnerability in Kashipara Food Management System 1.0 A vulnerability classified as critical has been found in Kashipara Food Management System up to 1.0. | 6.5 |
2024-01-07 | CVE-2024-0277 | Kashipara | SQL Injection vulnerability in Kashipara Food Management System 1.0 A vulnerability classified as critical was found in Kashipara Food Management System up to 1.0. | 6.5 |
2024-01-07 | CVE-2024-0274 | Kashipara | SQL Injection vulnerability in Kashipara Food Management System 1.0 A vulnerability was found in Kashipara Food Management System up to 1.0. | 6.5 |
2024-01-07 | CVE-2024-0275 | Kashipara | SQL Injection vulnerability in Kashipara Food Management System 1.0 A vulnerability was found in Kashipara Food Management System up to 1.0. | 6.5 |
2024-01-07 | CVE-2024-0272 | Kashipara | SQL Injection vulnerability in Kashipara Food Management System 1.0 A vulnerability was found in Kashipara Food Management System up to 1.0 and classified as critical. | 6.5 |
2024-01-07 | CVE-2024-0273 | Kashipara | SQL Injection vulnerability in Kashipara Food Management System 1.0 A vulnerability was found in Kashipara Food Management System up to 1.0. | 6.5 |
2024-01-07 | CVE-2024-0271 | Kashipara | SQL Injection vulnerability in Kashipara Food Management System 1.0 A vulnerability has been found in Kashipara Food Management System up to 1.0 and classified as critical. | 6.5 |
2024-01-07 | CVE-2024-0270 | Kashipara | SQL Injection vulnerability in Kashipara Food Management System 1.0 A vulnerability, which was classified as critical, was found in Kashipara Food Management System up to 1.0. | 6.5 |
2024-01-06 | CVE-2023-39853 | Dzzoffice | SQL Injection vulnerability in Dzzoffice 2.01 SQL Injection vulnerability in Dzzoffice version 2.01, allows remote attackers to obtain sensitive information via the doobj and doevent parameters in the Network Disk backend module. | 6.5 |
2024-01-05 | CVE-2023-51678 | Doofinder | Cross-Site Request Forgery (CSRF) vulnerability in Doofinder Cross-Site Request Forgery (CSRF) vulnerability in Doofinder Doofinder WP & WooCommerce Search.This issue affects Doofinder WP & WooCommerce Search: from n/a through 2.0.33. | 6.5 |
2024-01-04 | CVE-2023-29962 | S CMS | Path Traversal vulnerability in S-Cms 5.0 S-CMS v5.0 was discovered to contain an arbitrary file read vulnerability. | 6.5 |
2024-01-04 | CVE-2023-6733 | Butlerblog | Missing Authorization vulnerability in Butlerblog Wp-Members 3.3.7 The WP-Members Membership Plugin plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.4.8 via the wpmem_field shortcode. | 6.5 |
2024-01-04 | CVE-2024-20803 | Samsung | Improper Authentication vulnerability in Samsung Android 11.0/12.0 Improper authentication vulnerability in Bluetooth pairing process prior to SMR Jan-2024 Release 1 allows remote attackers to establish pairing process without user interaction. | 6.5 |
2024-01-03 | CVE-2023-46742 | Linuxfoundation | Information Exposure Through Log Files vulnerability in Linuxfoundation Cubefs CubeFS is an open-source cloud-native file storage system. | 6.5 |
2024-01-03 | CVE-2023-50253 | LAF | Information Exposure Through Log Files vulnerability in LAF Laf is a cloud development platform. | 6.5 |
2024-01-03 | CVE-2024-21631 | Vapor | Integer Overflow or Wraparound vulnerability in Vapor Vapor is an HTTP web framework for Swift. | 6.5 |
2024-01-03 | CVE-2023-30617 | Openkruise | Improper Privilege Management vulnerability in Openkruise Kruise Kruise provides automated management of large-scale applications on Kubernetes. | 6.5 |
2024-01-03 | CVE-2023-46738 | Linuxfoundation | Allocation of Resources Without Limits or Throttling vulnerability in Linuxfoundation Cubefs CubeFS is an open-source cloud-native file storage system. | 6.5 |
2024-01-03 | CVE-2023-7068 | Webtoffee | Missing Authorization vulnerability in Webtoffee Woocommerce PDF Invoices, Packing Slips, Delivery Notes and Shipping Labels The WooCommerce PDF Invoices, Packing Slips, Delivery Notes and Shipping Labels plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on theprint_packinglist action in all versions up to, and including, 4.3.0. | 6.5 |
2024-01-03 | CVE-2023-50343 | Hcltech | Unspecified vulnerability in Hcltech Dryice Myxalytics 5.9/6.0/6.1 HCL DRYiCE MyXalytics is impacted by an Improper Access Control (Controller APIs) vulnerability. | 6.5 |
2024-01-07 | CVE-2024-0286 | Phpgurukul | Cross-site Scripting vulnerability in PHPgurukul Hospital Management System 1.0 A vulnerability, which was classified as problematic, was found in PHPGurukul Hospital Management System 1.0. | 6.1 |
2024-01-07 | CVE-2024-0284 | Kashipara | Cross-site Scripting vulnerability in Kashipara Food Management System 1.0 A vulnerability was found in Kashipara Food Management System up to 1.0. | 6.1 |
2024-01-07 | CVE-2024-0282 | Kashipara | Cross-site Scripting vulnerability in Kashipara Food Management System 1.0 A vulnerability was found in Kashipara Food Management System up to 1.0. | 6.1 |
2024-01-07 | CVE-2024-0283 | Kashipara | Cross-site Scripting vulnerability in Kashipara Food Management System A vulnerability was found in Kashipara Food Management System up to 1.0. | 6.1 |
2024-01-06 | CVE-2023-50609 | AVA | Cross-site Scripting vulnerability in AVA Teaching Video Application Service Platform 3.1 Cross Site Scripting (XSS) vulnerability in AVA teaching video application service platform version 3.1, allows remote attackers to execute arbitrary code via a crafted script to ajax.aspx. | 6.1 |
2024-01-05 | CVE-2024-0246 | Icewarp | Cross-site Scripting vulnerability in Icewarp 12.0.2.1/12.0.3.1 A vulnerability classified as problematic has been found in IceWarp 12.0.2.1/12.0.3.1. | 6.1 |
2024-01-05 | CVE-2024-22075 | Firefly III | Cross-site Scripting vulnerability in Firefly-Iii Firefly III Firefly III (aka firefly-iii) before 6.1.1 allows webhooks HTML Injection. | 6.1 |
2024-01-04 | CVE-2024-22048 | GOV UK | Cross-site Scripting vulnerability in Gov.Uk Govuk Tech Docs govuk_tech_docs versions from 2.0.2 to before 3.3.1 are vulnerable to a cross-site scripting vulnerability. | 6.1 |
2024-01-04 | CVE-2024-21636 | Viewcomponent | Cross-site Scripting vulnerability in Viewcomponent View Component view_component is a framework for building reusable, testable, and encapsulated view components in Ruby on Rails. | 6.1 |
2024-01-04 | CVE-2023-50630 | Teamwork Management System Project | Cross-site Scripting vulnerability in Teamwork Management System Project Teamwork Management System 2.28.0 Cross Site Scripting (XSS) vulnerability in xiweicheng TMS v.2.28.0 allows a remote attacker to execute arbitrary code via a crafted script to the click here function. | 6.1 |
2024-01-04 | CVE-2023-52322 | Spip | Cross-site Scripting vulnerability in Spip ecrire/public/assembler.php in SPIP before 4.1.13 and 4.2.x before 4.2.7 allows XSS because input from _request() is not restricted to safe characters such as alphanumerics. | 6.1 |
2024-01-03 | CVE-2024-21908 | Tiny | Cross-site Scripting vulnerability in Tiny Tinymce TinyMCE versions before 5.9.0 are affected by a stored cross-site scripting vulnerability. | 6.1 |
2024-01-03 | CVE-2024-21910 | Tiny | Cross-site Scripting vulnerability in Tiny Tinymce TinyMCE versions before 5.10.0 are affected by a cross-site scripting vulnerability. | 6.1 |
2024-01-03 | CVE-2024-21911 | Tiny | Cross-site Scripting vulnerability in Tiny Tinymce TinyMCE versions before 5.6.0 are affected by a stored cross-site scripting vulnerability. | 6.1 |
2024-01-03 | CVE-2023-50093 | Apiida | Injection vulnerability in Apiida API Gateway Manager 2023.02.02 APIIDA API Gateway Manager for Broadcom Layer7 v2023.2.2 is vulnerable to Host Header Injection. | 6.1 |
2024-01-03 | CVE-2023-50092 | Apiida | Cross-site Scripting vulnerability in Apiida API Gateway Manager 2023.02.02 APIIDA API Gateway Manager for Broadcom Layer7 v2023.2 is vulnerable to Cross Site Scripting (XSS). | 6.1 |
2024-01-03 | CVE-2023-6621 | Wpexperts | Cross-site Scripting vulnerability in Wpexperts Post Smtp The POST SMTP WordPress plugin before 2.8.7 does not sanitise and escape the msg parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin. | 6.1 |
2024-01-03 | CVE-2023-6629 | Wpexperts | Cross-site Scripting vulnerability in Wpexperts Post Smtp The POST SMTP Mailer – Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘msg’ parameter in all versions up to, and including, 2.8.6 due to insufficient input sanitization and output escaping. | 6.1 |
2024-01-03 | CVE-2023-50345 | Hcltech | Open Redirect vulnerability in Hcltech Dryice Myxalytics 5.9/6.0/6.1 HCL DRYiCE MyXalytics is impacted by an Open Redirect vulnerability which could allow an attacker to redirect users to malicious sites, potentially leading to phishing attacks or other security threats. | 6.1 |
2024-01-02 | CVE-2024-21628 | Prestashop | Cross-site Scripting vulnerability in Prestashop PrestaShop is an open-source e-commerce platform. | 6.1 |
2024-01-02 | CVE-2024-21627 | Prestashop | Cross-site Scripting vulnerability in Prestashop PrestaShop is an open-source e-commerce platform. | 6.1 |
2024-01-02 | CVE-2023-51652 | Spassarop | Cross-site Scripting vulnerability in Spassarop Owasp Antisamy .Net OWASP AntiSamy .NET is a library for performing cleansing of HTML coming from untrusted sources. | 6.1 |
2024-01-02 | CVE-2018-25097 | Acumos | Cross-site Scripting vulnerability in Acumos Design Studio A vulnerability, which was classified as problematic, was found in Acumos Design Studio up to 2.0.7. | 6.1 |
2024-01-02 | CVE-2015-10128 | Royaltechbd | Cross-site Scripting vulnerability in Royaltechbd Royal Prettyphoto 1.2 A vulnerability was found in rt-prettyphoto Plugin up to 1.2 on WordPress and classified as problematic. | 6.1 |
2024-01-02 | CVE-2023-26159 | Follow Redirects | Open Redirect vulnerability in Follow-Redirects Follow Redirects Versions of the package follow-redirects before 1.15.4 are vulnerable to Improper Input Validation due to the improper handling of URLs by the url.parse() function. | 6.1 |
2024-01-01 | CVE-2023-6000 | Sygnoos | Cross-site Scripting vulnerability in Sygnoos Popup Builder The Popup Builder WordPress plugin before 4.2.3 does not prevent simple visitors from updating existing popups, and injecting raw JavaScript in them, which could lead to Stored XSS attacks. | 6.1 |
2024-01-01 | CVE-2024-21732 | Flycms Project | Cross-site Scripting vulnerability in Flycms Project Flycms 1.0 FlyCms through abbaa5a allows XSS via the permission management feature. | 6.1 |
2024-01-05 | CVE-2023-52323 | Pycryptodome | Information Exposure Through Discrepancy vulnerability in Pycryptodome and Pycryptodomex PyCryptodome and pycryptodomex before 3.19.1 allow side-channel leakage for OAEP decryption, exploitable for a Manger attack. | 5.9 |
2024-01-03 | CVE-2023-46739 | Linuxfoundation | Information Exposure Through Discrepancy vulnerability in Linuxfoundation Cubefs CubeFS is an open-source cloud-native file storage system. | 5.9 |
2024-01-02 | CVE-2023-50019 | Open5Gs | Improper Handling of Exceptional Conditions vulnerability in Open5Gs 2.6.6 An issue was discovered in open5gs v2.6.6. | 5.9 |
2024-01-06 | CVE-2023-50121 | Autelrobotics | Unspecified vulnerability in Autelrobotics EVO Nano Drone Firmware 1.6.5 Autel EVO NANO drone flight control firmware version 1.6.5 is vulnerable to denial of service (DoS). | 5.7 |
2024-01-04 | CVE-2023-6944 | Redhat Linuxfoundation | Information Exposure Through an Error Message vulnerability in multiple products A flaw was found in the Red Hat Developer Hub (RHDH). | 5.7 |
2024-01-05 | CVE-2023-34323 | XEN | NULL Pointer Dereference vulnerability in XEN When a transaction is committed, C Xenstored will first check the quota is correct before attempting to commit any nodes. | 5.5 |
2024-01-05 | CVE-2023-34327 | XEN | Unspecified vulnerability in XEN [This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] AMD CPUs since ~2014 have extensions to normal x86 debugging functionality. Xen supports guests using these extensions. Unfortunately there are errors in Xen's handling of the guest state, leading to denials of service. 1) CVE-2023-34327 - An HVM vCPU can end up operating in the context of a previous vCPUs debug mask state. 2) CVE-2023-34328 - A PV vCPU can place a breakpoint over the live GDT. This allows the PV vCPU to exploit XSA-156 / CVE-2015-8104 and lock up the CPU entirely. | 5.5 |
2024-01-05 | CVE-2023-34328 | XEN | Unspecified vulnerability in XEN [This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] AMD CPUs since ~2014 have extensions to normal x86 debugging functionality. Xen supports guests using these extensions. Unfortunately there are errors in Xen's handling of the guest state, leading to denials of service. 1) CVE-2023-34327 - An HVM vCPU can end up operating in the context of a previous vCPUs debug mask state. 2) CVE-2023-34328 - A PV vCPU can place a breakpoint over the live GDT. This allows the PV vCPU to exploit XSA-156 / CVE-2015-8104 and lock up the CPU entirely. | 5.5 |
2024-01-05 | CVE-2023-46835 | XEN | Unspecified vulnerability in XEN The current setup of the quarantine page tables assumes that the quarantine domain (dom_io) has been initialized with an address width of DEFAULT_DOMAIN_ADDRESS_WIDTH (48) and hence 4 page table levels. However dom_io being a PV domain gets the AMD-Vi IOMMU page tables levels based on the maximum (hot pluggable) RAM address, and hence on systems with no RAM above the 512GB mark only 3 page-table levels are configured in the IOMMU. On systems without RAM above the 512GB boundary amd_iommu_quarantine_init() will setup page tables for the scratch page with 4 levels, while the IOMMU will be configured to use 3 levels only, resulting in the last page table directory (PDE) effectively becoming a page table entry (PTE), and hence a device in quarantine mode gaining write access to the page destined to be a PDE. Due to this page table level mismatch, the sink page the device gets read/write access to is no longer cleared between device assignment, possibly leading to data leaks. | 5.5 |
2024-01-04 | CVE-2023-6992 | Cloudflare | Out-of-bounds Write vulnerability in Cloudflare Zlib Cloudflare version of zlib library was found to be vulnerable to memory corruption issues affecting the deflation algorithm implementation (deflate.c). | 5.5 |
2024-01-04 | CVE-2023-41784 | ZTE | Unspecified vulnerability in ZTE Redmagic 8 PRO Firmware Gencnnx729Jv1.0.0B21Mr Permissions and Access Control Vulnerability in ZTE Red Magic 8 Pro | 5.5 |
2024-01-04 | CVE-2024-20802 | Samsung | Unspecified vulnerability in Samsung DEX Improper access control vulnerability in Samsung DeX prior to SMR Jan-2024 Release 1 allows owner to access other users' notification in a multi-user environment. | 5.5 |
2024-01-04 | CVE-2024-20804 | Samsung | Path Traversal vulnerability in Samsung Android 11.0/12.0 Path traversal vulnerability in FileUriConverter of MyFiles prior to SMR Jan-2024 Release 1 in Android 11 and Android 12, and version 14.5.00.21 in Android 13 allows local attackers to write arbitrary file. | 5.5 |
2024-01-04 | CVE-2024-20805 | Samsung | Path Traversal vulnerability in Samsung Android 11.0/12.0 Path traversal vulnerability in ZipCompressor of MyFiles prior to SMR Jan-2024 Release 1 in Android 11 and Android 12, and version 14.5.00.21 in Android 13 allows local attackers to write arbitrary file. | 5.5 |
2024-01-04 | CVE-2024-20806 | Samsung | Unspecified vulnerability in Samsung Android 11.0/12.0 Improper access control in Notification service prior to SMR Jan-2024 Release 1 allows local attacker to access notification data. | 5.5 |
2024-01-04 | CVE-2024-20808 | Samsung | Unspecified vulnerability in Samsung Nearby Device Scanning Improper access control vulnerability in Nearby device scanning prior version 11.1.14.7 allows local attacker to access data. | 5.5 |
2024-01-04 | CVE-2024-20809 | Samsung | Unspecified vulnerability in Samsung Nearby Device Scanning Improper access control vulnerability in Nearby device scanning prior version 11.1.14.7 allows local attacker to access data. | 5.5 |
2024-01-03 | CVE-2023-41779 | ZTE | Incorrect Authorization vulnerability in ZTE Zxcloud Irai Firmware There is an illegal memory access vulnerability of ZTE's ZXCLOUD iRAI product.When the vulnerability is exploited by an attacker with the common user permission, the physical machine will be crashed. | 5.5 |
2024-01-03 | CVE-2023-49554 | Yasm Project | Use After Free vulnerability in Yasm Project Yasm 1.3.0.86.G9Def Use After Free vulnerability in YASM 1.3.0.86.g9def allows a remote attacker to cause a denial of service via the do_directive function in the modules/preprocs/nasm/nasm-pp.c component. | 5.5 |
2024-01-03 | CVE-2023-49555 | Yasm Project | Unspecified vulnerability in Yasm Project Yasm 1.3.0.86.G9Def An issue in YASM 1.3.0.86.g9def allows a remote attacker to cause a denial of service via the expand_smacro function in the modules/preprocs/nasm/nasm-pp.c component. | 5.5 |
2024-01-03 | CVE-2023-49556 | Yasm Project | Unspecified vulnerability in Yasm Project Yasm 1.3.0.86.G9Def Buffer Overflow vulnerability in YASM 1.3.0.86.g9def allows a remote attacker to cause a denial of service via the expr_delete_term function in the libyasm/expr.c component. | 5.5 |
2024-01-03 | CVE-2023-49557 | Yasm Project | Unspecified vulnerability in Yasm Project Yasm 1.3.0.86.G9Def An issue in YASM 1.3.0.86.g9def allows a remote attacker to cause a denial of service via the yasm_section_bcs_first function in the libyasm/section.c component. | 5.5 |
2024-01-03 | CVE-2023-49558 | Yasm Project | Unspecified vulnerability in Yasm Project Yasm 1.3.0.86.G9Def An issue in YASM 1.3.0.86.g9def allows a remote attacker to cause a denial of service via the expand_mmac_params function in the modules/preprocs/nasm/nasm-pp.c component. | 5.5 |
2024-01-02 | CVE-2023-4164 | Missing Authorization vulnerability in Google Android There is a possible information disclosure due to a missing permission check. | 5.5 | |
2024-01-02 | CVE-2023-47216 | Openatom | Missing Release of Resource after Effective Lifetime vulnerability in Openatom Openharmony in OpenHarmony v3.2.2 and prior versions allow a local attacker cause DOS through occupy all resources | 5.5 |
2024-01-02 | CVE-2023-47857 | Openatom | Use After Free vulnerability in Openatom Openharmony in OpenHarmony v3.2.2 and prior versions allow a local attacker cause multimedia camera crash through modify a released pointer. | 5.5 |
2024-01-02 | CVE-2023-48360 | Openatom | Use After Free vulnerability in Openatom Openharmony in OpenHarmony v3.2.2 and prior versions allow a local attacker cause multimedia player crash through modify a released pointer. | 5.5 |
2024-01-02 | CVE-2023-49135 | Openatom | Use After Free vulnerability in Openatom Openharmony in OpenHarmony v3.2.2 and prior versions allow a local attacker cause multimedia player crash through modify a released pointer. | 5.5 |
2024-01-02 | CVE-2023-33036 | Qualcomm | NULL Pointer Dereference vulnerability in Qualcomm products Permanent DOS in Hypervisor while untrusted VM without PSCI support makes a PSCI call. | 5.5 |
2024-01-02 | CVE-2023-33037 | Qualcomm | Missing Encryption of Sensitive Data vulnerability in Qualcomm products Cryptographic issue in Automotive while unwrapping the key secs2d and verifying with RPMB data. | 5.5 |
2024-01-02 | CVE-2023-32831 | Mediatek | Use of Insufficiently Random Values vulnerability in Mediatek Software Development KIT In wlan driver, there is a possible PIN crack due to use of insufficiently random values. | 5.5 |
2024-01-07 | CVE-2024-0266 | Yugeshverma | Cross-site Scripting vulnerability in Yugeshverma Online Lawyer Management System 1.0 A vulnerability classified as problematic has been found in Project Worlds Online Lawyer Management System 1.0. | 5.4 |
2024-01-06 | CVE-2023-6798 | Themeisle | Missing Authorization vulnerability in Themeisle RSS Aggregator BY Feedzy The RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator plugin for WordPress is vulnerable to unauthorized settings update due to a missing capability check when updating settings in all versions up to, and including, 4.3.2. | 5.4 |
2024-01-06 | CVE-2023-6801 | Themeisle | Cross-site Scripting vulnerability in Themeisle RSS Aggregator BY Feedzy The RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 4.3.2 due to insufficient input sanitization and output escaping. | 5.4 |
2024-01-05 | CVE-2023-47559 | Qnap | Cross-site Scripting vulnerability in Qnap Qumagie 2.2.0 A cross-site scripting (XSS) vulnerability has been reported to affect QuMagie. | 5.4 |
2024-01-05 | CVE-2023-52124 | Shapedplugin | Cross-site Scripting vulnerability in Shapedplugin WP Tabs Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ShapedPlugin LLC WP Tabs – Responsive Tabs Plugin for WordPress allows Stored XSS.This issue affects WP Tabs – Responsive Tabs Plugin for WordPress: from n/a through 2.2.0. | 5.4 |
2024-01-05 | CVE-2023-52125 | Iframe Project | Cross-site Scripting vulnerability in Iframe Project Iframe Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in webvitaly iframe allows Stored XSS.This issue affects iframe: from n/a through 4.8. | 5.4 |
2024-01-05 | CVE-2023-52178 | Mojofywp | Cross-site Scripting vulnerability in Mojofywp WP Affiliate Disclosure Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in MojofyWP WP Affiliate Disclosure allows Stored XSS.This issue affects WP Affiliate Disclosure: from n/a through 1.2.7. | 5.4 |
2024-01-04 | CVE-2023-6551 | Verot | Unrestricted Upload of File with Dangerous Type vulnerability in Verot Class.Upload.PHP As a simple library, class.upload.php does not perform an in-depth check on uploaded files, allowing a stored XSS vulnerability when the default configuration is used. | 5.4 |
2024-01-04 | CVE-2023-7044 | Wpdeveloper | Cross-site Scripting vulnerability in Wpdeveloper Essential Addons for Elementor The Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders plugin for WordPress is vulnerable to Stored Cross-Site Scripting via custom ID in all versions up to, and including, 5.9.2 due to insufficient input sanitization and output escaping. | 5.4 |
2024-01-04 | CVE-2023-6738 | Pagelayer | Cross-site Scripting vulnerability in Pagelayer The Page Builder: Pagelayer – Drag and Drop website builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'pagelayer_header_code', 'pagelayer_body_open_code', and 'pagelayer_footer_code' meta fields in all versions up to, and including, 1.7.8 due to insufficient input sanitization and output escaping on user supplied attributes. | 5.4 |
2024-01-03 | CVE-2023-6747 | Fooplugins | Cross-site Scripting vulnerability in Fooplugins Foogallery The Best WordPress Gallery Plugin – FooGallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the custom attributes in all versions up to, and including, 2.3.3 due to insufficient input sanitization and output escaping. | 5.4 |
2024-01-03 | CVE-2023-6986 | Wpdeveloper | Cross-site Scripting vulnerability in Wpdeveloper Embedpress The EmbedPress – Embed PDF, YouTube, Google Docs, Vimeo, Wistia Videos, Audios, Maps & Any Documents in Gutenberg & Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's embed_oembed_html shortcode in all versions up to 3.9.5 (exclusive) due to insufficient input sanitization and output escaping on user supplied attributes. | 5.4 |
2024-01-03 | CVE-2023-6524 | Mappresspro | Cross-site Scripting vulnerability in Mappresspro Mappress The MapPress Maps for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the map title parameter in all versions up to and including 2.88.13 due to insufficient input sanitization and output escaping. | 5.4 |
2024-01-03 | CVE-2023-6600 | Daan | Cross-site Scripting vulnerability in Daan Omgf The OMGF | GDPR/DSGVO Compliant, Faster Google Fonts. | 5.4 |
2024-01-03 | CVE-2023-7027 | Wpexperts | Cross-site Scripting vulnerability in Wpexperts Post Smtp The POST SMTP Mailer – Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘device’ header in all versions up to, and including, 2.8.7 due to insufficient input sanitization and output escaping. | 5.4 |
2024-01-03 | CVE-2023-50344 | Hcltech | Unspecified vulnerability in Hcltech Dryice Myxalytics 5.9/6.0/6.1 HCL DRYiCE MyXalytics is impacted by improper access control (Unauthenticated File Download) vulnerability. | 5.4 |
2024-01-02 | CVE-2024-0192 | NIA | Unrestricted Upload of File with Dangerous Type vulnerability in NIA RRJ Nueva Ecija Engineer Online Portal 1.0 A vulnerability was found in RRJ Nueva Ecija Engineer Online Portal 1.0. | 5.4 |
2024-01-02 | CVE-2024-0190 | NIA | Cross-site Scripting vulnerability in NIA RRJ Nueva Ecija Engineer Online Portal 1.0 A vulnerability was found in RRJ Nueva Ecija Engineer Online Portal 1.0 and classified as problematic. | 5.4 |
2024-01-02 | CVE-2024-0189 | NIA | Cross-site Scripting vulnerability in NIA RRJ Nueva Ecija Engineer Online Portal 1.0 A vulnerability has been found in RRJ Nueva Ecija Engineer Online Portal 1.0 and classified as problematic. | 5.4 |
2024-01-01 | CVE-2023-6485 | Bplugins | Cross-site Scripting vulnerability in Bplugins Html5 Video Player The Html5 Video Player WordPress plugin before 2.5.19 does not sanitise and escape some of its player settings, which combined with missing capability checks around the plugin could allow any authenticated users, such as low as subscribers to perform Stored Cross-Site Scripting attacks against high privilege users like admins | 5.4 |
2024-01-05 | CVE-2023-52126 | Sumanbhattarai | Unspecified vulnerability in Sumanbhattarai Send Users Email Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Suman Bhattarai Send Users Email.This issue affects Send Users Email: from n/a through 1.4.3. | 5.3 |
2024-01-05 | CVE-2023-52146 | Ajexperience | Information Exposure Through Log Files vulnerability in Ajexperience 404 Solution Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Aaron J 404 Solution.This issue affects 404 Solution: from n/a through 2.33.0. | 5.3 |
2024-01-05 | CVE-2023-52148 | Wpaffiliatemanager | Unspecified vulnerability in Wpaffiliatemanager Affiliates Manager Exposure of Sensitive Information to an Unauthorized Actor vulnerability in wp.Insider, wpaffiliatemgr Affiliates Manager.This issue affects Affiliates Manager: from n/a through 2.9.30. | 5.3 |
2024-01-05 | CVE-2023-52151 | Uncannyowl | Unspecified vulnerability in Uncannyowl Uncanny Automator Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Uncanny Automator, Uncanny Owl Uncanny Automator – Automate everything with the #1 no-code automation and integration plugin.This issue affects Uncanny Automator – Automate everything with the #1 no-code automation and integration plugin: from n/a through 5.1.0.2. | 5.3 |
2024-01-04 | CVE-2024-22049 | John Nunemaker | Exposure of Resource to Wrong Sphere vulnerability in John Nunemaker Httparty httparty before 0.21.0 is vulnerable to an assumed-immutable web parameter vulnerability. | 5.3 |
2024-01-03 | CVE-2023-50348 | Hcltech | Unspecified vulnerability in Hcltech Dryice Myxalytics 5.9/6.0/6.1 HCL DRYiCE MyXalytics is impacted by an improper error handling vulnerability. | 5.3 |
2024-01-02 | CVE-2023-45561 | Linecorp | Unspecified vulnerability in Linecorp Line 13.6.1 An issue in A-WORLD OIRASE BEER_waiting Line v.13.6.1 allows attackers to send crafted notifications via leakage of the channel access token. | 5.3 |
2024-01-02 | CVE-2024-0191 | NIA | File and Directory Information Exposure vulnerability in NIA RRJ Nueva Ecija Engineer Online Portal 1.0 A vulnerability was found in RRJ Nueva Ecija Engineer Online Portal 1.0. | 5.3 |
2024-01-02 | CVE-2023-6693 | Qemu Redhat Fedoraproject | Out-of-bounds Write vulnerability in multiple products A stack based buffer overflow was found in the virtio-net device of QEMU. | 5.3 |
2024-01-05 | CVE-2023-34324 | XEN Linux | Resource Exhaustion vulnerability in multiple products Closing of an event channel in the Linux kernel can result in a deadlock. This happens when the close is being performed in parallel to an unrelated Xen console action and the handling of a Xen console interrupt in an unprivileged guest. The closing of an event channel is e.g. | 4.9 |
2024-01-03 | CVE-2023-6981 | Veronalabs | SQL Injection vulnerability in Veronalabs WP SMS The WP SMS – Messaging & SMS Notification for WordPress, WooCommerce, GravityForms, etc plugin for WordPress is vulnerable to SQL Injection via the 'group_id' parameter in all versions up to, and including, 6.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. | 4.9 |
2024-01-07 | CVE-2024-0262 | Projectworlds | Cross-site Scripting vulnerability in Projectworlds Online JOB Portal 1.0 A vulnerability was found in Online Job Portal 1.0 and classified as problematic. | 4.8 |
2024-01-05 | CVE-2023-41782 | ZTE | Uncontrolled Search Path Element vulnerability in ZTE Zxcloud Irai Firmware There is a DLL hijacking vulnerability in ZTE ZXCLOUD iRAI, an attacker could place a fake DLL file in a specific directory and successfully exploit this vulnerability to execute malicious code. | 4.8 |
2024-01-04 | CVE-2023-6498 | Really Simple Plugins | Cross-site Scripting vulnerability in Really-Simple-Plugins Complianz The Complianz – GDPR/CCPA Cookie Consent plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to and including 6.5.5 due to insufficient input sanitization and output escaping. | 4.8 |
2024-01-03 | CVE-2023-6004 | Libssh Redhat Fedoraproject | Injection vulnerability in multiple products A flaw was found in libssh. | 4.8 |
2024-01-02 | CVE-2024-0184 | NIA | Cross-site Scripting vulnerability in NIA RRJ Nueva Ecija Engineer Online Portal 1.0 A vulnerability was found in RRJ Nueva Ecija Engineer Online Portal 1.0. | 4.8 |
2024-01-01 | CVE-2024-0183 | NIA | Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in NIA RRJ Nueva Ecija Engineer Online Portal 1.0 A vulnerability was found in RRJ Nueva Ecija Engineer Online Portal 1.0. | 4.8 |
2024-01-01 | CVE-2024-0181 | NIA | Cross-site Scripting vulnerability in NIA RRJ Nueva Ecija Engineer Online Portal 1.0 A vulnerability was found in RRJ Nueva Ecija Engineer Online Portal 1.0. | 4.8 |
2024-01-01 | CVE-2023-6037 | Ljapps | Cross-site Scripting vulnerability in Ljapps WP Tripadvisor Review Slider The WP TripAdvisor Review Slider WordPress plugin before 11.9 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) | 4.8 |
2024-01-05 | CVE-2024-21641 | Flarum | Open Redirect vulnerability in Flarum Flarum is open source discussion platform software. | 4.7 |
2024-01-05 | CVE-2023-46836 | XEN | Unspecified vulnerability in XEN The fixes for XSA-422 (Branch Type Confusion) and XSA-434 (Speculative Return Stack Overflow) are not IRQ-safe. | 4.7 |
2024-01-02 | CVE-2017-20188 | Zimbra | Cross-site Scripting vulnerability in Zimbra Zm-Ajax A vulnerability has been found in Zimbra zm-ajax up to 8.8.1 and classified as problematic. | 4.7 |
2024-01-04 | CVE-2022-3864 | Hitachienergy | Improper Verification of Cryptographic Signature vulnerability in Hitachienergy products A vulnerability exists in the Relion update package signature validation. | 4.5 |
2024-01-02 | CVE-2023-7192 | Linux Redhat | Memory Leak vulnerability in multiple products A memory leak problem was found in ctnetlink_create_conntrack in net/netfilter/nf_conntrack_netlink.c in the Linux Kernel. | 4.4 |
2024-01-02 | CVE-2023-32875 | Out-of-bounds Read vulnerability in Google Android 11.0/12.0/13.0 In keyInstall, there is a possible information disclosure due to a missing bounds check. | 4.4 | |
2024-01-02 | CVE-2023-32876 | Out-of-bounds Read vulnerability in Google Android 11.0/12.0/13.0 In keyInstall, there is a possible information disclosure due to a missing bounds check. | 4.4 | |
2024-01-02 | CVE-2023-32878 | Out-of-bounds Read vulnerability in Google Android 12.0/13.0 In battery, there is a possible information disclosure due to a missing bounds check. | 4.4 | |
2024-01-02 | CVE-2023-32880 | Out-of-bounds Read vulnerability in Google Android 12.0/13.0 In battery, there is a possible information disclosure due to a missing bounds check. | 4.4 | |
2024-01-02 | CVE-2023-32881 | Integer Overflow or Wraparound vulnerability in Google Android 12.0/13.0 In battery, there is a possible information disclosure due to an integer overflow. | 4.4 | |
2024-01-05 | CVE-2023-6493 | Averta | Cross-Site Request Forgery (CSRF) vulnerability in Averta Depicter Slider The Depicter Slider – Responsive Image Slider, Video Slider & Post Slider plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.0.6. | 4.3 |
2024-01-03 | CVE-2024-0201 | Webcodingplace | Missing Authorization vulnerability in Webcodingplace Product Expiry for Woocommerce The Product Expiry for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'save_settings' function in versions up to, and including, 2.5. | 4.3 |
2024-01-03 | CVE-2023-6984 | Ideabox | Cross-Site Request Forgery (CSRF) vulnerability in Ideabox Powerpack Addons for Elementor The PowerPack Addons for Elementor (Free Widgets, Extensions and Templates) plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.7.13. | 4.3 |
2024-01-03 | CVE-2023-6980 | Veronalabs | Cross-site Scripting vulnerability in Veronalabs WP SMS The WP SMS – Messaging & SMS Notification for WordPress, WooCommerce, GravityForms, etc plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 6.5. | 4.3 |
2024-01-03 | CVE-2023-50342 | Hcltech | Authorization Bypass Through User-Controlled Key vulnerability in Hcltech Dryice Myxalytics 5.9/6.0/6.1 HCL DRYiCE MyXalytics is impacted by an Insecure Direct Object Reference (IDOR) vulnerability. | 4.3 |
2024-01-03 | CVE-2023-50346 | Hcltech | Unspecified vulnerability in Hcltech Dryice Myxalytics 5.9/6.0/6.1 HCL DRYiCE MyXalytics is impacted by an information disclosure vulnerability. | 4.3 |
2024-01-02 | CVE-2023-47858 | Mattermost | Unspecified vulnerability in Mattermost Server Mattermost fails to properly verify the permissions needed for viewing archived public channels, allowing a member of one team to get details about the archived public channels of another team via the GET /api/v4/teams/<team-id>/channels/deleted endpoint. | 4.3 |
2024-01-02 | CVE-2023-48732 | Mattermost | Unspecified vulnerability in Mattermost Server Mattermost fails to scope the WebSocket response around notified users to a each user separately resulting in the WebSocket broadcasting the information about who was notified about a post to everyone else in the channel. | 4.3 |
2024-01-02 | CVE-2023-50333 | Mattermost | Unspecified vulnerability in Mattermost Server Mattermost fails to update the permissions of the current session for a user who was just demoted to guest, allowing freshly demoted guests to change group names. | 4.3 |
9 Low Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2024-01-02 | CVE-2020-26623 | Gilacms | SQL Injection vulnerability in Gilacms Gila CMS SQL Injection vulnerability discovered in Gila CMS 1.15.4 and earlier allows a remote attacker to execute arbitrary web scripts via the Area parameter under the Administration>Widget tab after the login portal. | 3.8 |
2024-01-02 | CVE-2020-26624 | Gilacms | SQL Injection vulnerability in Gilacms Gila CMS A SQL injection vulnerability was discovered in Gila CMS 1.15.4 and earlier which allows a remote attacker to execute arbitrary web scripts via the ID parameter after the login portal. | 3.8 |
2024-01-02 | CVE-2020-26625 | Gilacms | SQL Injection vulnerability in Gilacms Gila CMS A SQL injection vulnerability was discovered in Gila CMS 1.15.4 and earlier which allows a remote attacker to execute arbitrary web scripts via the 'user_id' parameter after the login portal. | 3.8 |
2024-01-05 | CVE-2023-34321 | XEN | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in XEN Arm provides multiple helpers to clean & invalidate the cache for a given region. | 3.3 |
2024-01-05 | CVE-2023-46837 | XEN | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in XEN Arm provides multiple helpers to clean & invalidate the cache for a given region. | 3.3 |
2024-01-04 | CVE-2024-20807 | Samsung | Unspecified vulnerability in Samsung Email 6.1.82.0 Implicit intent hijacking vulnerability in Samsung Email prior to version 6.1.90.16 allows local attacker to get sensitive information. | 3.3 |
2024-01-03 | CVE-2024-0217 | Packagekit Project Redhat Fedoraproject | Use After Free vulnerability in multiple products A use-after-free flaw was found in PackageKitd. | 3.3 |
2024-01-02 | CVE-2023-49142 | Openatom | Use After Free vulnerability in Openatom Openharmony in OpenHarmony v3.2.2 and prior versions allow a local attacker cause multimedia audio crash through modify a released pointer. | 3.3 |
2024-01-04 | CVE-2024-22047 | Collectiveidea | Race Condition vulnerability in Collectiveidea Audited A race condition exists in Audited 4.0.0 to 5.3.3 that can result in an authenticated user to cause audit log entries to be attributed to another user. | 3.1 |