Weekly Vulnerabilities Reports > January 1 to 7, 2024

Overview

387 new vulnerabilities reported during this period, including 72 critical vulnerabilities and 153 high severity vulnerabilities. This weekly summary report vulnerabilities in 660 products from 175 vendors including Kashipara, Qualcomm, Google, Paddlepaddle, and Qnap. Vulnerabilities are notably categorized as "Cross-site Scripting", "SQL Injection", "Out-of-bounds Write", "Cross-Site Request Forgery (CSRF)", and "Use After Free".

  • 299 reported vulnerabilities are remotely exploitables.
  • 128 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
  • 230 reported vulnerabilities are exploitable by an anonymous user.
  • Kashipara has the most reported vulnerabilities, with 34 reported vulnerabilities.
  • Kashipara has the most reported critical vulnerabilities, with 18 reported vulnerabilities.

TOTAL
VULNERABILITIES
CRITICAL RISK
VULNERABILITIES
HIGH RISK
VULNERABILITIES
MEDIUM RISK
VULNERABILITIES
LOW RISK
VULNERABILITIES
REMOTELY
EXPLOITABLE
LOCALLY
EXPLOITABLE
EXPLOIT
AVAILABLE
EXPLOITABLE
ANONYMOUSLY
AFFECTING
WEB APPLICATION

Vulnerability Details

The following table list reported vulnerabilities for the period covered by this report:

Expand/Hide

72 Critical Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2024-01-07 CVE-2024-0287 Kashipara SQL Injection vulnerability in Kashipara Food Management System 1.0

A vulnerability was found in Kashipara Food Management System 1.0.

9.8
2024-01-07 CVE-2023-7212 Dedecms Unrestricted Upload of File with Dangerous Type vulnerability in Dedecms

A vulnerability classified as critical has been found in DeDeCMS up to 5.7.112.

9.8
2024-01-07 CVE-2023-7210 Onenav Improper Authentication vulnerability in Onenav

A vulnerability was found in OneNav up to 0.9.33.

9.8
2024-01-07 CVE-2024-0268 Surajghosh SQL Injection vulnerability in Surajghosh Hospital Management System

A vulnerability, which was classified as critical, has been found in Kashipara Hospital Management System up to 1.0.

9.8
2024-01-07 CVE-2023-7208 Totolink Out-of-bounds Write vulnerability in Totolink X2000R Firmware 2.0.0B20230727.10434

A vulnerability classified as critical was found in Totolink X2000R_V2 2.0.0-B20230727.10434.

9.8
2024-01-07 CVE-2024-0267 Surajghosh SQL Injection vulnerability in Surajghosh Hospital Management System

A vulnerability classified as critical was found in Kashipara Hospital Management System up to 1.0.

9.8
2024-01-07 CVE-2024-0264 Oretnom23 Authorization Bypass Through User-Controlled Key vulnerability in Oretnom23 Clinic Queuing System 1.0

A vulnerability was found in SourceCodester Clinic Queuing System 1.0.

9.8
2024-01-06 CVE-2023-46953 Abocms SQL Injection vulnerability in Abocms Abo.Cms 5.9.3

SQL Injection vulnerability in ABO.CMS v.5.9.3, allows remote attackers to execute arbitrary code via the d parameter in the Documents module.

9.8
2024-01-05 CVE-2024-0247 Online Food Ordering System Project SQL Injection vulnerability in Online Food Ordering System Project Online Food Ordering System 1.0

A vulnerability classified as critical was found in CodeAstro Online Food Ordering System 1.0.

9.8
2024-01-05 CVE-2022-46839 Wiselyhub Unrestricted Upload of File with Dangerous Type vulnerability in Wiselyhub JS Help Desk

Unrestricted Upload of File with Dangerous Type vulnerability in JS Help Desk JS Help Desk – Best Help Desk & Support Plugin.This issue affects JS Help Desk – Best Help Desk & Support Plugin: from n/a through 2.7.1.

9.8
2024-01-05 CVE-2023-51673 Stylishpricelist Unspecified vulnerability in Stylishpricelist Stylish Price List

Cross-Site Request Forgery (CSRF) vulnerability in Designful Stylish Price List – Price Table Builder & QR Code Restaurant Menu.This issue affects Stylish Price List – Price Table Builder & QR Code Restaurant Menu: from n/a through 7.0.17.

9.8
2024-01-05 CVE-2020-13880 Irfanview Out-of-bounds Write vulnerability in Irfanview B3D

IrfanView B3D PlugIns before version 4.56 has a B3d.dll!+1cbf heap-based out-of-bounds write.

9.8
2024-01-05 CVE-2023-50027 BUY Addons SQL Injection vulnerability in Buy-Addons Bazoom Magnifier

SQL Injection vulnerability in Buy Addons baproductzoommagnifier module for PrestaShop versions 1.0.16 and before, allows remote attackers to escalate privileges and gain sensitive information via BaproductzoommagnifierZoomModuleFrontController::run() method.

9.8
2024-01-05 CVE-2020-13878 Irfanview Out-of-bounds Write vulnerability in Irfanview B3D

IrfanView B3D PlugIns before version 4.56 has a B3d.dll!+27ef heap-based out-of-bounds write.

9.8
2024-01-05 CVE-2020-13879 Irfanview Out-of-bounds Write vulnerability in Irfanview B3D

IrfanView B3D PlugIns before version 4.56 has a B3d.dll!+214f heap-based out-of-bounds write.

9.8
2024-01-05 CVE-2023-51502 Automattic Authorization Bypass Through User-Controlled Key vulnerability in Automattic Woocommerce Stripe 7.6.1

Authorization Bypass Through User-Controlled Key vulnerability in WooCommerce WooCommerce Stripe Payment Gateway.This issue affects WooCommerce Stripe Payment Gateway: from n/a through 7.6.1.

9.8
2024-01-05 CVE-2023-51277 Tinowagner Unspecified vulnerability in Tinowagner Jupyter Notebook Viewer

nbviewer-app (aka Jupyter Notebook Viewer) before 0.1.6 has the get-task-allow entitlement for release builds.

9.8
2024-01-05 CVE-2024-22086 Hayyp Out-of-bounds Write vulnerability in Hayyp Cherry 20210105

handle_request in http.c in cherry through 4b877df has an sscanf stack-based buffer overflow via a long URI, leading to remote code execution.

9.8
2024-01-05 CVE-2024-22087 Alekseykurepin Out-of-bounds Write vulnerability in Alekseykurepin Pico Http Server in C 20210402

route in main.c in Pico HTTP Server in C through f3b69a6 has an sprintf stack-based buffer overflow via a long URI, leading to remote code execution.

9.8
2024-01-05 CVE-2024-22088 Chendotjs Use After Free vulnerability in Chendotjs Lotos Webserver 0.1.0/0.1.1

Lotos WebServer through 0.1.1 (commit 3eb36cc) has a use-after-free in buffer_avail() at buffer.h via a long URI, because realloc is mishandled.

9.8
2024-01-04 CVE-2024-22051 Github
Gjtorikian
Integer Overflow or Wraparound vulnerability in multiple products

CommonMarker versions prior to 0.23.4 are at risk of an integer overflow vulnerability.

9.8
2024-01-04 CVE-2023-51154 Jizhicms Unspecified vulnerability in Jizhicms 2.5.0

Jizhicms v2.5 was discovered to contain an arbitrary file download vulnerability via the component /admin/c/PluginsController.php.

9.8
2024-01-04 CVE-2023-51812 Tenda Unspecified vulnerability in Tenda AX3 Firmware 16.03.12.11

Tenda AX3 v16.03.12.11 was discovered to contain a remote code execution (RCE) vulnerability via the list parameter at /goform/SetNetControlList.

9.8
2024-01-04 CVE-2023-50862 Kashipara SQL Injection vulnerability in Kashipara Travel Website 1.0

Travel Website v1.0 is vulnerable to multiple Unauthenticated SQL Injection vulnerabilities.

9.8
2024-01-04 CVE-2023-50863 Kashipara SQL Injection vulnerability in Kashipara Travel Website 1.0

Travel Website v1.0 is vulnerable to multiple Unauthenticated SQL Injection vulnerabilities.

9.8
2024-01-04 CVE-2023-50864 Kashipara SQL Injection vulnerability in Kashipara Travel Website 1.0

Travel Website v1.0 is vulnerable to multiple Unauthenticated SQL Injection vulnerabilities.

9.8
2024-01-04 CVE-2023-50865 Kashipara SQL Injection vulnerability in Kashipara Travel Website 1.0

Travel Website v1.0 is vulnerable to multiple Unauthenticated SQL Injection vulnerabilities.

9.8
2024-01-04 CVE-2023-50866 Kashipara SQL Injection vulnerability in Kashipara Travel Website 1.0

Travel Website v1.0 is vulnerable to multiple Unauthenticated SQL Injection vulnerabilities.

9.8
2024-01-04 CVE-2023-50867 Kashipara SQL Injection vulnerability in Kashipara Travel Website 1.0

Travel Website v1.0 is vulnerable to multiple Unauthenticated SQL Injection vulnerabilities.

9.8
2024-01-04 CVE-2023-49622 Kashipara SQL Injection vulnerability in Kashipara Billing Software 1.0

Billing Software v1.0 is vulnerable to multiple Unauthenticated SQL Injection vulnerabilities. The 'itemnameid' parameter of the material_bill.php?action=itemRelation resource does not validate the characters received and they are sent unfiltered to the database.

9.8
2024-01-04 CVE-2023-49624 Kashipara SQL Injection vulnerability in Kashipara Billing Software 1.0

Billing Software v1.0 is vulnerable to multiple Unauthenticated SQL Injection vulnerabilities.

9.8
2024-01-04 CVE-2023-49625 Kashipara SQL Injection vulnerability in Kashipara Billing Software 1.0

Billing Software v1.0 is vulnerable to multiple Unauthenticated SQL Injection vulnerabilities.

9.8
2024-01-04 CVE-2023-49633 Kashipara SQL Injection vulnerability in Kashipara Billing Software 1.0

Billing Software v1.0 is vulnerable to multiple Unauthenticated SQL Injection vulnerabilities.

9.8
2024-01-04 CVE-2023-49639 Kashipara SQL Injection vulnerability in Kashipara Billing Software 1.0

Billing Software v1.0 is vulnerable to multiple Unauthenticated SQL Injection vulnerabilities.

9.8
2024-01-04 CVE-2023-49658 Kashipara SQL Injection vulnerability in Kashipara Billing Software 1.0

Billing Software v1.0 is vulnerable to multiple Unauthenticated SQL Injection vulnerabilities.

9.8
2024-01-04 CVE-2023-49665 Kashipara SQL Injection vulnerability in Kashipara Billing Software 1.0

Billing Software v1.0 is vulnerable to multiple Unauthenticated SQL Injection vulnerabilities.

9.8
2024-01-04 CVE-2023-49666 Kashipara SQL Injection vulnerability in Kashipara Billing System 1.0

Billing Software v1.0 is vulnerable to multiple Unauthenticated SQL Injection vulnerabilities.

9.8
2024-01-04 CVE-2023-50743 Kashipara SQL Injection vulnerability in Kashipara Online Notice Board System 1.0

Online Notice Board System v1.0 is vulnerable to multiple Unauthenticated SQL Injection vulnerabilities.

9.8
2024-01-04 CVE-2023-50752 Kashipara SQL Injection vulnerability in Kashipara Online Notice Board System 1.0

Online Notice Board System v1.0 is vulnerable to multiple Unauthenticated SQL Injection vulnerabilities.

9.8
2024-01-04 CVE-2023-50753 Kashipara SQL Injection vulnerability in Kashipara Online Notice Board System 1.0

Online Notice Board System v1.0 is vulnerable to multiple Unauthenticated SQL Injection vulnerabilities.

9.8
2024-01-03 CVE-2023-49442 Jeecg Deserialization of Untrusted Data vulnerability in Jeecg

Deserialization of Untrusted Data in jeecgFormDemoController in JEECG 4.0 and earlier allows attackers to run arbitrary code via crafted POST request.

9.8
2024-01-03 CVE-2023-50090 Ureport2 Project Unspecified vulnerability in Ureport2 Project Ureport2

Arbitrary File Write vulnerability in the saveReportFile method of ureport2 2.2.9 and before allows attackers to write arbitrary files and run arbitrary commands via crafted POST request.

9.8
2024-01-03 CVE-2023-46740 Linuxfoundation Use of Insufficiently Random Values vulnerability in Linuxfoundation Cubefs

CubeFS is an open-source cloud-native file storage system.

9.8
2024-01-03 CVE-2023-46741 Linuxfoundation Unspecified vulnerability in Linuxfoundation Cubefs

CubeFS is an open-source cloud-native file storage system.

9.8
2024-01-03 CVE-2023-51784 Apache Code Injection vulnerability in Apache Inlong

Improper Control of Generation of Code ('Code Injection') vulnerability in Apache InLong.This issue affects Apache InLong: from 1.5.0 through 1.9.0, which could lead to Remote Code Execution. Users are advised to upgrade to Apache InLong's 1.10.0 or cherry-pick [1] to solve it. [1] https://github.com/apache/inlong/pull/9329

9.8
2024-01-03 CVE-2023-50921 GL Inet Unspecified vulnerability in Gl-Inet products

An issue was discovered on GL.iNet devices through 4.5.0.

9.8
2024-01-03 CVE-2023-52304 Paddlepaddle Out-of-bounds Write vulnerability in Paddlepaddle 0.8.0/0.9.0/1.0.1

Stack overflow in paddle.searchsorted in PaddlePaddle before 2.6.0.

9.8
2024-01-03 CVE-2023-52307 Paddlepaddle Out-of-bounds Write vulnerability in Paddlepaddle 0.8.0/0.9.0/1.0.1

Stack overflow in paddle.linalg.lu_unpack in PaddlePaddle before 2.6.0.

9.8
2024-01-03 CVE-2023-52309 Paddlepaddle Out-of-bounds Write vulnerability in Paddlepaddle 0.8.0/0.9.0/1.0.1

Heap buffer overflow in paddle.repeat_interleave in PaddlePaddle before 2.6.0.

9.8
2024-01-03 CVE-2023-52310 Paddlepaddle OS Command Injection vulnerability in Paddlepaddle 0.8.0/0.9.0/1.0.1

PaddlePaddle before 2.6.0 has a command injection in get_online_pass_interval.

9.8
2024-01-03 CVE-2023-52311 Paddlepaddle OS Command Injection vulnerability in Paddlepaddle 0.8.0/0.9.0/1.0.1

PaddlePaddle before 2.6.0 has a command injection in _wget_download.

9.8
2024-01-03 CVE-2023-52314 Paddlepaddle OS Command Injection vulnerability in Paddlepaddle 0.8.0/0.9.0/1.0.1

PaddlePaddle before 2.6.0 has a command injection in convert_shape_compare.

9.8
2024-01-03 CVE-2023-46308 Plotly Unspecified vulnerability in Plotly Plotly.Js

In Plotly plotly.js before 2.25.2, plot API calls have a risk of __proto__ being polluted in expandObjectPaths or nestedProperty.

9.8
2024-01-03 CVE-2023-45722 Hcltech Path Traversal vulnerability in Hcltech Dryice Myxalytics 5.9/6.0/6.1

HCL DRYiCE MyXalytics is impacted by path traversal arbitrary file read vulnerability because it uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory.

9.8
2024-01-03 CVE-2023-45723 Hcltech Path Traversal vulnerability in Hcltech Dryice Myxalytics 5.9/6.0/6.1

HCL DRYiCE MyXalytics is impacted by path traversal vulnerability which allows file upload capability.

9.8
2024-01-03 CVE-2023-45724 Hcltech Unrestricted Upload of File with Dangerous Type vulnerability in Hcltech Dryice Myxalytics 5.9/6.0/6.1

HCL DRYiCE MyXalytics product is impacted by unauthenticated file upload vulnerability.

9.8
2024-01-02 CVE-2023-6339 Google Missing Encryption of Sensitive Data vulnerability in Google Nest Wifi PRO Firmware

Google Nest WiFi Pro root code-execution & user-data compromise

9.8
2024-01-02 CVE-2024-21632 Recognizeapp Improper Authentication vulnerability in Recognizeapp Omniauth::Microsoftgraph

omniauth-microsoft_graph provides an Omniauth strategy for the Microsoft Graph API.

9.8
2024-01-02 CVE-2023-47458 Bladex Missing Authorization vulnerability in Bladex Springblade 3.2.0/3.6.0/3.7.0

An issue in SpringBlade v.3.7.0 and before allows a remote attacker to escalate privileges via the lack of permissions control framework.

9.8
2024-01-02 CVE-2024-0194 Codeastro Unrestricted Upload of File with Dangerous Type vulnerability in Codeastro Internet Banking System 1.0

A vulnerability, which was classified as critical, has been found in CodeAstro Internet Banking System up to 1.0.

9.8
2024-01-02 CVE-2024-0195 Ssssssss Code Injection vulnerability in Ssssssss Spider-Flow 0.4.3

A vulnerability, which was classified as critical, was found in spider-flow 0.4.3.

9.8
2024-01-02 CVE-2024-21623 Mehah Injection vulnerability in Mehah Otclient

OTCLient is an alternative tibia client for otserv.

9.8
2024-01-02 CVE-2023-50711 Rust VMM Out-of-bounds Write vulnerability in Rust-Vmm Vmm-Sys-Util

vmm-sys-util is a collection of modules that provides helpers and utilities used by multiple rust-vmm components.

9.8
2024-01-02 CVE-2023-48419 Google Unspecified vulnerability in Google products

An attacker in the wifi vicinity of a target Google Home can spy on the victim, resulting in Elevation of Privilege 

9.8
2024-01-02 CVE-2023-4280 Silabs Unspecified vulnerability in Silabs Gecko Software Development KIT

An unvalidated input in Silicon Labs TrustZone implementation in v4.3.x and earlier of the Gecko SDK allows an attacker to access the trusted region of memory from the untrusted region.

9.8
2024-01-02 CVE-2023-6436 Ekolbilisim SQL Injection vulnerability in Ekolbilisim web Sablonu Yazilimi 20231215

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Ekol Informatics Website Template allows SQL Injection.This issue affects Website Template: through 20231215.

9.8
2024-01-02 CVE-2023-33025 Qualcomm Classic Buffer Overflow vulnerability in Qualcomm products

Memory corruption in Data Modem when a non-standard SDP body, during a VOLTE call.

9.8
2024-01-02 CVE-2023-32874 Mediatek Out-of-bounds Write vulnerability in Mediatek products

In Modem IMS Stack, there is a possible out of bounds write due to a missing bounds check.

9.8
2024-01-01 CVE-2024-0182 Janobe SQL Injection vulnerability in Janobe Engineers Online Portal 1.0

A vulnerability was found in SourceCodester Engineers Online Portal 1.0 and classified as critical.

9.8
2024-01-01 CVE-2023-5877 Servit Missing Authorization vulnerability in Servit Affiliate-Toolkit

The affiliate-toolkit WordPress plugin before 3.4.3 lacks authorization and authentication for requests to it's affiliate-toolkit-starter/tools/atkp_imagereceiver.php endpoint, allowing unauthenticated visitors to make requests to arbitrary URL's, including RFC1918 private addresses, leading to a Server Side Request Forgery (SSRF) issue.

9.8
2024-01-03 CVE-2023-39655 Perfood Injection vulnerability in Perfood Couchauth

A host header injection vulnerability exists in the NPM package @perfood/couch-auth versions <= 0.20.0.

9.6
2024-01-03 CVE-2023-50351 Hcltech Unspecified vulnerability in Hcltech Dryice Myxalytics 5.9/6.0/6.1

HCL DRYiCE MyXalytics is impacted by the use of an insecure key rotation mechanism which can allow an attacker to compromise the confidentiality or integrity of data.

9.1

153 High Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2024-01-07 CVE-2023-7214 Totolink Out-of-bounds Write vulnerability in Totolink N350Rt Firmware 9.3.5U.6139B20201216

A vulnerability, which was classified as critical, has been found in Totolink N350RT 9.3.5u.6139_B20201216.

8.8
2024-01-07 CVE-2023-7213 Totolink Out-of-bounds Write vulnerability in Totolink N350Rt Firmware 9.3.5U.6139B20201216

A vulnerability classified as critical was found in Totolink N350RT 9.3.5u.6139_B20201216.

8.8
2024-01-07 CVE-2024-0265 Oretnom23 External Control of File Name or Path vulnerability in Oretnom23 Clinic Queuing System 1.0

A vulnerability was found in SourceCodester Clinic Queuing System 1.0.

8.8
2024-01-05 CVE-2023-41287 Qnap SQL Injection vulnerability in Qnap Video Station 5.7.1

A SQL injection vulnerability has been reported to affect Video Station.

8.8
2024-01-05 CVE-2023-41288 Qnap OS Command Injection vulnerability in Qnap Video Station 5.7.1

An OS command injection vulnerability has been reported to affect Video Station.

8.8
2024-01-05 CVE-2023-41289 Qnap OS Command Injection vulnerability in Qnap Qcalagent 1.1.6/1.1.7

An OS command injection vulnerability has been reported to affect QcalAgent.

8.8
2024-01-05 CVE-2023-47219 Qnap SQL Injection vulnerability in Qnap Qumagie 2.2.0

A SQL injection vulnerability has been reported to affect QuMagie.

8.8
2024-01-05 CVE-2023-47560 Qnap Command Injection vulnerability in Qnap Qumagie 2.2.0

An OS command injection vulnerability has been reported to affect QuMagie.

8.8
2024-01-05 CVE-2023-51535 Cleantalk Cross-Site Request Forgery (CSRF) vulnerability in Cleantalk Spam Protection, Antispam, Firewall

Cross-Site Request Forgery (CSRF) vulnerability in ?leanTalk - Anti-Spam Protection Spam protection, Anti-Spam, FireWall by CleanTalk.This issue affects Spam protection, Anti-Spam, FireWall by CleanTalk: from n/a through 6.20.

8.8
2024-01-05 CVE-2023-51538 Getawesomesupport Cross-Site Request Forgery (CSRF) vulnerability in Getawesomesupport Awesome Support

Cross-Site Request Forgery (CSRF) vulnerability in Awesome Support Team Awesome Support – WordPress HelpDesk & Support Plugin.This issue affects Awesome Support – WordPress HelpDesk & Support Plugin: from n/a through 6.1.5.

8.8
2024-01-05 CVE-2023-51539 Apollo13Themes Cross-Site Request Forgery (CSRF) vulnerability in Apollo13Themes Apollo13 Framework Extensions

Cross-Site Request Forgery (CSRF) vulnerability in Apollo13Themes Apollo13 Framework Extensions.This issue affects Apollo13 Framework Extensions: from n/a through 1.9.1.

8.8
2024-01-05 CVE-2023-51668 Wpzone Cross-Site Request Forgery (CSRF) vulnerability in Wpzone Inline Image Upload for Bbpress

Cross-Site Request Forgery (CSRF) vulnerability in WP Zone Inline Image Upload for BBPress.This issue affects Inline Image Upload for BBPress: from n/a through 1.1.18.

8.8
2024-01-05 CVE-2023-52119 Icegram Cross-Site Request Forgery (CSRF) vulnerability in Icegram Engage

Cross-Site Request Forgery (CSRF) vulnerability in Icegram Icegram Engage – WordPress Lead Generation, Popup Builder, CTA, Optins and Email List Building.This issue affects Icegram Engage – WordPress Lead Generation, Popup Builder, CTA, Optins and Email List Building: from n/a through 3.1.18.

8.8
2024-01-05 CVE-2023-52120 Basixonline Cross-Site Request Forgery (CSRF) vulnerability in Basixonline Nex-Forms

Cross-Site Request Forgery (CSRF) vulnerability in Basix NEX-Forms – Ultimate Form Builder – Contact forms and much more.This issue affects NEX-Forms – Ultimate Form Builder – Contact forms and much more: from n/a through 8.5.2.

8.8
2024-01-05 CVE-2023-52121 Nitropack Cross-Site Request Forgery (CSRF) vulnerability in Nitropack

Cross-Site Request Forgery (CSRF) vulnerability in NitroPack Inc.

8.8
2024-01-05 CVE-2023-52122 Presstigers Cross-Site Request Forgery (CSRF) vulnerability in Presstigers Simple JOB Board

Cross-Site Request Forgery (CSRF) vulnerability in PressTigers Simple Job Board.This issue affects Simple Job Board: from n/a through 2.10.6.

8.8
2024-01-05 CVE-2023-52123 Machothemes Cross-Site Request Forgery (CSRF) vulnerability in Machothemes Strong Testimonials

Cross-Site Request Forgery (CSRF) vulnerability in WPChill Strong Testimonials.This issue affects Strong Testimonials: from n/a through 3.1.10.

8.8
2024-01-05 CVE-2023-52127 Wpclever Cross-Site Request Forgery (CSRF) vulnerability in Wpclever WPC Product Bundles for Woocommerce

Cross-Site Request Forgery (CSRF) vulnerability in WPClever WPC Product Bundles for WooCommerce.This issue affects WPC Product Bundles for WooCommerce: from n/a through 7.3.1.

8.8
2024-01-05 CVE-2023-52128 Linksoftwarellc Cross-Site Request Forgery (CSRF) vulnerability in Linksoftwarellc White Label

Cross-Site Request Forgery (CSRF) vulnerability in WhiteWP White Label – WordPress Custom Admin, Custom Login Page, and Custom Dashboard.This issue affects White Label – WordPress Custom Admin, Custom Login Page, and Custom Dashboard: from n/a through 2.9.0.

8.8
2024-01-05 CVE-2023-52129 Mtrv Cross-Site Request Forgery (CSRF) vulnerability in Mtrv Teachpress

Cross-Site Request Forgery (CSRF) vulnerability in Michael Winkler teachPress.This issue affects teachPress: from n/a through 9.0.4.

8.8
2024-01-05 CVE-2023-52130 Wpaffiliatemanager Cross-Site Request Forgery (CSRF) vulnerability in Wpaffiliatemanager Affiliates Manager

Cross-Site Request Forgery (CSRF) vulnerability in wp.Insider, wpaffiliatemgr Affiliates Manager.This issue affects Affiliates Manager: from n/a through 2.9.31.

8.8
2024-01-05 CVE-2023-52136 Smashballoon Cross-Site Request Forgery (CSRF) vulnerability in Smashballoon Custom Twitter Feeds

Cross-Site Request Forgery (CSRF) vulnerability in Smash Balloon Custom Twitter Feeds – A Tweets Widget or X Feed Widget.This issue affects Custom Twitter Feeds – A Tweets Widget or X Feed Widget: from n/a through 2.1.2.

8.8
2024-01-05 CVE-2023-52145 Mariosalexandrou Cross-Site Request Forgery (CSRF) vulnerability in Mariosalexandrou Republish OLD Posts

Cross-Site Request Forgery (CSRF) vulnerability in Marios Alexandrou Republish Old Posts.This issue affects Republish Old Posts: from n/a through 1.21.

8.8
2024-01-05 CVE-2023-52149 WOW Company Cross-Site Request Forgery (CSRF) vulnerability in Wow-Company Floating Button

Cross-Site Request Forgery (CSRF) vulnerability in Wow-Company Floating Button.This issue affects Floating Button: from n/a through 6.0.

8.8
2024-01-05 CVE-2023-52150 Ovation Cross-Site Request Forgery (CSRF) vulnerability in Ovation Dynamic Content for Elementor

Cross-Site Request Forgery (CSRF) vulnerability in Ovation S.R.L.

8.8
2024-01-05 CVE-2023-52184 Wpjobportal Cross-Site Request Forgery (CSRF) vulnerability in Wpjobportal WP JOB Portal

Cross-Site Request Forgery (CSRF) vulnerability in WP Job Portal WP Job Portal – A Complete Job Board.This issue affects WP Job Portal – A Complete Job Board: from n/a through 2.0.6.

8.8
2024-01-04 CVE-2023-50760 Kashipara Unrestricted Upload of File with Dangerous Type vulnerability in Kashipara Online Notice Board System 1.0

Online Notice Board System v1.0 is vulnerable to an Insecure File Upload vulnerability on the 'f' parameter of user/update_profile_pic.php page, allowing an authenticated attacker to obtain Remote Code Execution on the server hosting the application.

8.8
2024-01-04 CVE-2024-21625 Sidequestvr Improper Input Validation vulnerability in Sidequestvr Sidequest

SideQuest is a place to get virtual reality applications for Oculus Quest.

8.8
2024-01-04 CVE-2024-0222 Google
Fedoraproject
Use After Free vulnerability in multiple products

Use after free in ANGLE in Google Chrome prior to 120.0.6099.199 allowed a remote attacker who had compromised the renderer process to potentially exploit heap corruption via a crafted HTML page.

8.8
2024-01-04 CVE-2024-0223 Google
Fedoraproject
Out-of-bounds Write vulnerability in multiple products

Heap buffer overflow in ANGLE in Google Chrome prior to 120.0.6099.199 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

8.8
2024-01-04 CVE-2024-0224 Google
Fedoraproject
Use After Free vulnerability in multiple products

Use after free in WebAudio in Google Chrome prior to 120.0.6099.199 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

8.8
2024-01-04 CVE-2024-0225 Google
Fedoraproject
Use After Free vulnerability in multiple products

Use after free in WebGPU in Google Chrome prior to 120.0.6099.199 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

8.8
2024-01-03 CVE-2023-5880 Geniecompany Cross-site Scripting vulnerability in Geniecompany Aladdin Connect Garage Door Opener Firmware

When the Genie Company Aladdin Connect garage door opener (Retrofit-Kit Model ALDCM) is placed into configuration mode the web servers “Garage Door Control Module Setup” page is vulnerable to XSS via a broadcast SSID name containing malicious code with client side Java Script and/or HTML.

8.8
2024-01-03 CVE-2024-21622 Craftcms Unspecified vulnerability in Craftcms Craft CMS

Craft is a content management system.

8.8
2024-01-02 CVE-2024-0196 Ssssssss Code Injection vulnerability in Ssssssss Magic-Api

A vulnerability has been found in Magic-Api up to 2.0.1 and classified as critical.

8.8
2024-01-02 CVE-2024-0185 NIA Unrestricted Upload of File with Dangerous Type vulnerability in NIA RRJ Nueva Ecija Engineer Online Portal 1.0

A vulnerability was found in RRJ Nueva Ecija Engineer Online Portal 1.0.

8.8
2024-01-01 CVE-2023-50094 Yogeshojha OS Command Injection vulnerability in Yogeshojha Rengine

reNgine through 2.0.2 allows OS Command Injection if an adversary has a valid session ID.

8.8
2024-01-03 CVE-2023-5881 Geniecompany Missing Authentication for Critical Function vulnerability in Geniecompany Aladdin Connect Garage Door Opener Firmware

Unauthenticated access permitted to web interface page The Genie Company Aladdin Connect (Retrofit-Kit Model ALDCM) "Garage Door Control Module Setup" and modify the Garage door's SSID settings.

8.2
2024-01-03 CVE-2023-45559 Linecorp Unspecified vulnerability in Linecorp Line 13.6.1

An issue in Tamaki_hamanoki Line v.13.6.1 allows attackers to send crafted notifications via leakage of the channel access token.

8.2
2024-01-07 CVE-2023-7211 Uniwayinfo Improper Authentication vulnerability in Uniwayinfo products

A vulnerability was found in Uniway Router 2.0.

8.1
2024-01-02 CVE-2024-0188 NIA Weak Password Requirements vulnerability in NIA RRJ Nueva Ecija Engineer Online Portal 1.0

A vulnerability, which was classified as problematic, was found in RRJ Nueva Ecija Engineer Online Portal 1.0.

8.1
2024-01-02 CVE-2024-0186 Huiran Host Reseller System Project Weak Password Recovery Mechanism for Forgotten Password vulnerability in Huiran Host Reseller System Project Huiran Host Reseller System

A vulnerability classified as problematic has been found in HuiRan Host Reseller System up to 2.0.0.

8.1
2024-01-07 CVE-2023-47145 IBM Unspecified vulnerability in IBM DB2

IBM Db2 for Windows (includes Db2 Connect Server) 10.5, 11.1, and 11.5 could allow a local user to escalate their privileges to the SYSTEM user using the MSI repair functionality.

7.8
2024-01-06 CVE-2023-50612 Fit2Cloud Incorrect Default Permissions vulnerability in Fit2Cloud Cloudexplorer Lite 1.4.1

Insecure Permissions vulnerability in fit2cloud Cloud Explorer Lite version 1.4.1, allow local attackers to escalate privileges and obtain sensitive information via the cloud accounts parameter.

7.8
2024-01-05 CVE-2023-34322 XEN Improper Check for Dropped Privileges vulnerability in XEN

For migration as well as to work around kernels unaware of L1TF (see XSA-273), PV guests may be run in shadow paging mode.

7.8
2024-01-05 CVE-2023-34325 XEN Out-of-bounds Write vulnerability in XEN

[This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] libfsimage contains parsing code for several filesystems, most of them based on grub-legacy code.

7.8
2024-01-05 CVE-2023-34326 XEN Unspecified vulnerability in XEN

The caching invalidation guidelines from the AMD-Vi specification (48882—Rev 3.07-PUB—Oct 2022) is incorrect on some hardware, as devices will malfunction (see stale DMA mappings) if some fields of the DTE are updated but the IOMMU TLB is not flushed. Such stale DMA mappings can point to memory ranges not owned by the guest, thus allowing access to unindented memory regions.

7.8
2024-01-04 CVE-2021-40367 Siemens Healthineers Out-of-bounds Write vulnerability in Siemens-Healthineers Syngo Fastview

A vulnerability has been identified in syngo fastView (All versions).

7.8
2024-01-04 CVE-2021-42028 Siemens Healthineers Out-of-bounds Write vulnerability in Siemens-Healthineers Syngo Fastview

A vulnerability has been identified in syngo fastView (All versions).

7.8
2024-01-04 CVE-2021-45465 Siemens Healthineers Write-what-where Condition vulnerability in Siemens-Healthineers Syngo Fastview

A vulnerability has been identified in syngo fastView (All versions).

7.8
2024-01-03 CVE-2023-6338 Lenovo Uncontrolled Search Path Element vulnerability in Lenovo Universal Device Client

Uncontrolled search path vulnerabilities were reported in the Lenovo Universal Device Client (UDC) that could allow an attacker with local access to execute code with elevated privileges.

7.8
2024-01-03 CVE-2024-21633 Apktool Path Traversal vulnerability in Apktool

Apktool is a tool for reverse engineering Android APK files.

7.8
2024-01-03 CVE-2023-41776 ZTE Improper Privilege Management vulnerability in ZTE Zxcloud Irai Firmware

There is a local privilege escalation vulnerability of ZTE's ZXCLOUD iRAI.Attackers with regular user privileges can create a fake process, and to escalate local privileges.

7.8
2024-01-03 CVE-2023-41780 ZTE Uncontrolled Search Path Element vulnerability in ZTE Zxcloud Irai Firmware

There is an unsafe DLL loading vulnerability in ZTE ZXCLOUD iRAI.

7.8
2024-01-03 CVE-2023-41783 ZTE Code Injection vulnerability in ZTE Zxcloud Irai Firmware

There is a command injection vulnerability of ZTE's ZXCLOUD iRAI.

7.8
2024-01-02 CVE-2023-48418 Google Unspecified vulnerability in Google Pixel Watch Firmware

 In checkDebuggingDisallowed of DeviceVersionFragment.java, there is a     possible way to access adb before SUW completion due to an insecure default     value.

7.8
2024-01-02 CVE-2023-49794 Kernelsu Authentication Bypass by Spoofing vulnerability in Kernelsu

KernelSU is a Kernel-based root solution for Android devices.

7.8
2024-01-02 CVE-2023-28583 Qualcomm Double Free vulnerability in Qualcomm products

Memory corruption when IPv6 prefix timer object`s lifetime expires which are created while Netmgr daemon gets an IPv6 address.

7.8
2024-01-02 CVE-2023-33030 Qualcomm Out-of-bounds Write vulnerability in Qualcomm products

Memory corruption in HLOS while running playready use-case.

7.8
2024-01-02 CVE-2023-33032 Qualcomm Out-of-bounds Write vulnerability in Qualcomm products

Memory corruption in TZ Secure OS while requesting a memory allocation from TA region.

7.8
2024-01-02 CVE-2023-33033 Qualcomm Out-of-bounds Write vulnerability in Qualcomm products

Memory corruption in Audio during playback with speaker protection.

7.8
2024-01-02 CVE-2023-33038 Qualcomm Out-of-bounds Write vulnerability in Qualcomm products

Memory corruption while receiving a message in Bus Socket Transport Server.

7.8
2024-01-02 CVE-2023-33085 Qualcomm Classic Buffer Overflow vulnerability in Qualcomm products

Memory corruption in wearables while processing data from AON.

7.8
2024-01-02 CVE-2023-33094 Qualcomm Use After Free vulnerability in Qualcomm products

Memory corruption while running VK synchronization with KASAN enabled.

7.8
2024-01-02 CVE-2023-33108 Qualcomm Use After Free vulnerability in Qualcomm products

Memory corruption in Graphics Driver when destroying a context with KGSL_GPU_AUX_COMMAND_TIMELINE objects queued.

7.8
2024-01-02 CVE-2023-33113 Qualcomm Out-of-bounds Write vulnerability in Qualcomm products

Memory corruption when resource manager sends the host kernel a reply message with multiple fragments.

7.8
2024-01-02 CVE-2023-33114 Qualcomm Use After Free vulnerability in Qualcomm products

Memory corruption while running NPU, when NETWORK_UNLOAD and (NETWORK_UNLOAD or NETWORK_EXECUTE_V2) commands are submitted at the same time.

7.8
2024-01-02 CVE-2023-33117 Qualcomm Use After Free vulnerability in Qualcomm products

Memory corruption when HLOS allocates the response payload buffer to copy the data received from ADSP in response to AVCS_LOAD_MODULE command.

7.8
2024-01-02 CVE-2023-33118 Qualcomm Use After Free vulnerability in Qualcomm products

Memory corruption while processing Listen Sound Model client payload buffer when there is a request for Listen Sound session get parameter from ST HAL.

7.8
2024-01-02 CVE-2023-33120 Qualcomm Use After Free vulnerability in Qualcomm products

Memory corruption in Audio when memory map command is executed consecutively in ADSP.

7.8
2024-01-02 CVE-2023-43514 Qualcomm Use After Free vulnerability in Qualcomm products

Memory corruption while invoking IOCTLs calls from user space for internal mem MAP and internal mem UNMAP.

7.8
2024-01-02 CVE-2023-47039 Perl Out-of-bounds Write vulnerability in Perl

A vulnerability was found in Perl.

7.8
2024-01-03 CVE-2023-42358 O RAN SC Missing Authorization vulnerability in O-Ran-Sc Ric-Plt-E2Mgr

An issue was discovered in O-RAN Software Community ric-plt-e2mgr in the G-Release environment, allows remote attackers to cause a denial of service (DoS) via a crafted request to the E2Manager API component.

7.7
2024-01-07 CVE-2023-7209 Uniwayinfo Improper Resource Shutdown or Release vulnerability in Uniwayinfo products

A vulnerability was found in Uniway Router up to 2.0.

7.5
2024-01-07 CVE-2024-0263 Acme Improper Resource Shutdown or Release vulnerability in Acme Ultra Mini Httpd 1.21

A vulnerability was found in ACME Ultra Mini HTTPd 1.21.

7.5
2024-01-07 CVE-2024-0261 Ftpdmin Project Improper Resource Shutdown or Release vulnerability in Ftpdmin Project Ftpdmin 0.96

A vulnerability has been found in Sentex FTPDMIN 0.96 and classified as problematic.

7.5
2024-01-07 CVE-2024-0260 Engineers Online Portal Project Insufficient Session Expiration vulnerability in Engineers Online Portal Project Engineers Online Portal 1.0

A vulnerability, which was classified as problematic, was found in SourceCodester Engineers Online Portal 1.0.

7.5
2024-01-05 CVE-2024-21642 MAN Server-Side Request Forgery (SSRF) vulnerability in MAN D-Tale

D-Tale is a visualizer for Pandas data structures.

7.5
2024-01-05 CVE-2023-39296 Qnap Unspecified vulnerability in Qnap QTS and Quts Hero

A prototype pollution vulnerability has been reported to affect several QNAP operating system versions.

7.5
2024-01-05 CVE-2023-52143 Noorsplugin Information Exposure Through Log Files vulnerability in Noorsplugin WP Stripe Checkout

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Naa986 WP Stripe Checkout.This issue affects WP Stripe Checkout: from n/a through 1.2.2.37.

7.5
2024-01-05 CVE-2023-50991 Tenda Classic Buffer Overflow vulnerability in Tenda I29 Firmware 1.0.0.2/1.0.0.5

Buffer Overflow vulnerability in Tenda i29 versions 1.0 V1.0.0.5 and 1.0 V1.0.0.2, allows remote attackers to cause a denial of service (DoS) via the pingIp parameter in the pingSet function.

7.5
2024-01-04 CVE-2024-0241 Diaconou Allocation of Resources Without Limits or Throttling vulnerability in Diaconou Encodedid::Rails

encoded_id-rails versions before 1.0.0.beta2 are affected by an uncontrolled resource consumption vulnerability.

7.5
2024-01-04 CVE-2024-22050 Boazsegev Path Traversal vulnerability in Boazsegev Iodine

Path traversal in the static file service in Iodine less than 0.7.33 allows an unauthenticated, remote attacker to read files outside the public folder via malicious URLs.

7.5
2024-01-04 CVE-2022-2081 Hitachienergy Out-of-bounds Write vulnerability in Hitachienergy products

A vulnerability exists in the HCI Modbus TCP function included in the product versions listed above.

7.5
2024-01-04 CVE-2023-50082 Pbootcms Unspecified vulnerability in Pbootcms 3.1.2

Aoyun Technology pbootcms V3.1.2 is vulnerable to Incorrect Access Control, allows remote attackers to gain sensitive information via session leakage allows a user to avoid logging into the backend management platform.

7.5
2024-01-03 CVE-2023-50256 Froxlor Unspecified vulnerability in Froxlor

Froxlor is open source server administration software.

7.5
2024-01-03 CVE-2024-21634 Amazon Allocation of Resources Without Limits or Throttling vulnerability in Amazon ION

Amazon Ion is a Java implementation of the Ion data notation.

7.5
2024-01-03 CVE-2023-6540 Lenovo Unspecified vulnerability in Lenovo Browser HD and Browser Mobile

A vulnerability was reported in the Lenovo Browser Mobile and Lenovo Browser HD Apps for Android that could allow an attacker to craft a payload that could result in the disclosure of sensitive information.

7.5
2024-01-03 CVE-2023-46929 Gpac Unspecified vulnerability in Gpac 2.3Devrev605Gfc9E29089Master

An issue discovered in GPAC 2.3-DEV-rev605-gfc9e29089-master in MP4Box in gf_avc_change_vui /afltest/gpac/src/media_tools/av_parsers.c:6872:55 allows attackers to crash the application.

7.5
2024-01-03 CVE-2024-21907 Newtonsoft Improper Handling of Exceptional Conditions vulnerability in Newtonsoft Json.Net

Newtonsoft.Json before version 13.0.1 is affected by a mishandling of exceptional conditions vulnerability.

7.5
2024-01-03 CVE-2024-21909 Peteroupc Algorithmic Complexity vulnerability in Peteroupc Cbor

PeterO.Cbor versions 4.0.0 through 4.5.0 are vulnerable to a denial of service vulnerability.

7.5
2024-01-03 CVE-2023-37607 Automaticsystems Path Traversal vulnerability in Automaticsystems SOC Fl9600 Firstlane Firmware 06

Directory Traversal in Automatic-Systems SOC FL9600 FastLine lego_T04E00 allows a remote attacker to obtain sensitive information.

7.5
2024-01-03 CVE-2023-37608 Automaticsystems Use of Hard-coded Credentials vulnerability in Automaticsystems SOC Fl9600 Firstlane Firmware 06

An issue in Automatic Systems SOC FL9600 FastLine v.lego_T04E00 allows a remote attacker to obtain sensitive information via the admin login credentials.

7.5
2024-01-03 CVE-2023-51785 Apache Deserialization of Untrusted Data vulnerability in Apache Inlong 1.7.0/1.8.0/1.9.0

Deserialization of Untrusted Data vulnerability in Apache InLong.This issue affects Apache InLong: from 1.7.0 through 1.9.0, the attackers can make a arbitrary file read attack using mysql driver. Users are advised to upgrade to Apache InLong's 1.10.0 or cherry-pick [1] to solve it. [1]  https://github.com/apache/inlong/pull/9331

7.5
2024-01-03 CVE-2023-38674 Paddlepaddle Divide By Zero vulnerability in Paddlepaddle 0.8.0/0.9.0/1.0.1

FPE in paddle.nanmedian in PaddlePaddle before 2.6.0.

7.5
2024-01-03 CVE-2023-38675 Paddlepaddle Divide By Zero vulnerability in Paddlepaddle 0.8.0/0.9.0/1.0.1

FPE in paddle.linalg.matrix_rank in PaddlePaddle before 2.6.0.

7.5
2024-01-03 CVE-2023-38676 Paddlepaddle NULL Pointer Dereference vulnerability in Paddlepaddle 0.8.0/0.9.0/1.0.1

Nullptr in paddle.dot in PaddlePaddle before 2.6.0.

7.5
2024-01-03 CVE-2023-38677 Paddlepaddle Divide By Zero vulnerability in Paddlepaddle 0.8.0/0.9.0/1.0.1

FPE in paddle.linalg.eig in PaddlePaddle before 2.6.0.

7.5
2024-01-03 CVE-2023-38678 Paddlepaddle Out-of-bounds Read vulnerability in Paddlepaddle 0.8.0/0.9.0/1.0.1

OOB access in paddle.mode in PaddlePaddle before 2.6.0.

7.5
2024-01-03 CVE-2023-52302 Paddlepaddle NULL Pointer Dereference vulnerability in Paddlepaddle 0.8.0/0.9.0/1.0.1

Nullptr in paddle.nextafter in PaddlePaddle before 2.6.0.

7.5
2024-01-03 CVE-2023-52303 Paddlepaddle NULL Pointer Dereference vulnerability in Paddlepaddle 0.8.0/0.9.0/1.0.1

Nullptr in paddle.put_along_axis in PaddlePaddle before 2.6.0.

7.5
2024-01-03 CVE-2023-52305 Paddlepaddle Divide By Zero vulnerability in Paddlepaddle 0.8.0/0.9.0/1.0.1

FPE in paddle.topk in PaddlePaddle before 2.6.0.

7.5
2024-01-03 CVE-2023-52306 Paddlepaddle Divide By Zero vulnerability in Paddlepaddle 0.8.0/0.9.0/1.0.1

FPE in paddle.lerp in PaddlePaddle before 2.6.0.

7.5
2024-01-03 CVE-2023-52308 Paddlepaddle Divide By Zero vulnerability in Paddlepaddle 0.8.0/0.9.0/1.0.1

FPE in paddle.amin in PaddlePaddle before 2.6.0.

7.5
2024-01-03 CVE-2023-52312 Paddlepaddle NULL Pointer Dereference vulnerability in Paddlepaddle 0.8.0/0.9.0/1.0.1

Nullptr dereference in paddle.crop in PaddlePaddle before 2.6.0.

7.5
2024-01-03 CVE-2023-52313 Paddlepaddle Divide By Zero vulnerability in Paddlepaddle 0.8.0/0.9.0/1.0.1

FPE in paddle.argmin and paddle.argmax in PaddlePaddle before 2.6.0.

7.5
2024-01-03 CVE-2024-0207 Wireshark Out-of-bounds Read vulnerability in Wireshark 4.2.0

HTTP3 dissector crash in Wireshark 4.2.0 allows denial of service via packet injection or crafted capture file

7.5
2024-01-03 CVE-2024-0208 Wireshark Uncontrolled Recursion vulnerability in Wireshark

GVCP dissector crash in Wireshark 4.2.0, 4.0.0 to 4.0.11, and 3.6.0 to 3.6.19 allows denial of service via packet injection or crafted capture file

7.5
2024-01-03 CVE-2024-0209 Wireshark NULL Pointer Dereference vulnerability in Wireshark

IEEE 1609.2 dissector crash in Wireshark 4.2.0, 4.0.0 to 4.0.11, and 3.6.0 to 3.6.19 allows denial of service via packet injection or crafted capture file

7.5
2024-01-03 CVE-2024-0210 Wireshark Uncontrolled Recursion vulnerability in Wireshark 4.2.0

Zigbee TLV dissector crash in Wireshark 4.2.0 allows denial of service via packet injection or crafted capture file

7.5
2024-01-03 CVE-2024-0211 Wireshark Uncontrolled Recursion vulnerability in Wireshark 4.2.0

DOCSIS dissector crash in Wireshark 4.2.0 allows denial of service via packet injection or crafted capture file

7.5
2024-01-03 CVE-2023-47473 Fuwushe Path Traversal vulnerability in Fuwushe Ifair 23.8Ad0

Directory Traversal vulnerability in fuwushe.org iFair versions 23.8_ad0 and before allows an attacker to obtain sensitive information via a crafted script.

7.5
2024-01-03 CVE-2023-50341 Hcltech Unspecified vulnerability in Hcltech Dryice Myxalytics 5.9/6.0/6.1

HCL DRYiCE MyXalytics is impacted by Improper Access Control (Obsolete web pages) vulnerability.

7.5
2024-01-03 CVE-2023-50350 Hcltech Use of a Broken or Risky Cryptographic Algorithm vulnerability in Hcltech Dryice Myxalytics 5.9/6.0/6.1

HCL DRYiCE MyXalytics is impacted by the use of a broken cryptographic algorithm for encryption, potentially giving an attacker ability to decrypt sensitive information.

7.5
2024-01-02 CVE-2023-49549 Cesanta Unspecified vulnerability in Cesanta MJS 2.20.0

An issue in Cesanta mjs 2.20.0 allows a remote attacker to cause a denial of service via the mjs_getretvalpos function in the msj.c file.

7.5
2024-01-02 CVE-2023-49550 Cesanta Unspecified vulnerability in Cesanta MJS 2.20.0

An issue in Cesanta mjs 2.20.0 allows a remote attacker to cause a denial of service via the mjs+0x4ec508 component.

7.5
2024-01-02 CVE-2023-49551 Cesanta Unspecified vulnerability in Cesanta MJS 2.20.0

An issue in Cesanta mjs 2.20.0 allows a remote attacker to cause a denial of service via the mjs_op_json_parse function in the msj.c file.

7.5
2024-01-02 CVE-2023-49552 Cesanta Out-of-bounds Read vulnerability in Cesanta MJS 2.20.0

An Out of Bounds Write in Cesanta mjs 2.20.0 allows a remote attacker to cause a denial of service via the mjs_op_json_stringify function in the msj.c file.

7.5
2024-01-02 CVE-2023-49553 Cesanta Unspecified vulnerability in Cesanta MJS 2.20.0

An issue in Cesanta mjs 2.20.0 allows a remote attacker to cause a denial of service via the mjs_destroy function in the msj.c file.

7.5
2024-01-02 CVE-2023-50020 Open5Gs Resource Exhaustion vulnerability in Open5Gs 2.6.6

An issue was discovered in open5gs v2.6.6.

7.5
2024-01-02 CVE-2024-21629 EVM Project Unspecified vulnerability in EVM Project EVM

Rust EVM is an Ethereum Virtual Machine interpreter.

7.5
2024-01-02 CVE-2023-45892 Floorsightsoftware Authorization Bypass Through User-Controlled Key vulnerability in Floorsightsoftware Insight Q32023

An issue discovered in the Order and Invoice pages in Floorsight Insights Q3 2023 allows an unauthenticated remote attacker to view sensitive customer information.

7.5
2024-01-02 CVE-2023-45893 Floorsightsoftware Authorization Bypass Through User-Controlled Key vulnerability in Floorsightsoftware Customer Portal Q32023

An indirect Object Reference (IDOR) in the Order and Invoice pages in Floorsight Customer Portal Q3 2023 allows an unauthenticated remote attacker to view sensitive customer information.

7.5
2024-01-02 CVE-2022-3010 Priva Use of Password Hash With Insufficient Computational Effort vulnerability in Priva TOP Control Suite 8.7.8.0

The Priva TopControl Suite contains predictable credentials for the SSH service, based on the Serial number.

7.5
2024-01-02 CVE-2023-33040 Qualcomm Unspecified vulnerability in Qualcomm products

Transient DOS in Data Modem during DTLS handshake.

7.5
2024-01-02 CVE-2023-33062 Qualcomm Unspecified vulnerability in Qualcomm products

Transient DOS in WLAN Firmware while parsing a BTM request.

7.5
2024-01-02 CVE-2023-33109 Qualcomm NULL Pointer Dereference vulnerability in Qualcomm products

Transient DOS while processing a WMI P2P listen start command (0xD00A) sent from host.

7.5
2024-01-02 CVE-2023-33112 Qualcomm Unspecified vulnerability in Qualcomm products

Transient DOS when WLAN firmware receives "reassoc response" frame including RIC_DATA element.

7.5
2024-01-02 CVE-2023-33116 Qualcomm Out-of-bounds Read vulnerability in Qualcomm products

Transient DOS while parsing ieee80211_parse_mscs_ie in WIN WLAN driver.

7.5
2024-01-02 CVE-2023-43511 Qualcomm Infinite Loop vulnerability in Qualcomm products

Transient DOS while parsing IPv6 extension header when WLAN firmware receives an IPv6 packet that contains `IPPROTO_NONE` as the next header.

7.5
2024-01-02 CVE-2023-43512 Qualcomm Out-of-bounds Read vulnerability in Qualcomm Qcn7606 Firmware

Transient DOS while parsing GATT service data when the total amount of memory that is required by the multiple services is greater than the actual size of the services buffer.

7.5
2024-01-02 CVE-2023-26157 GNU Out-of-bounds Read vulnerability in GNU Libredwg

Versions of the package libredwg before 0.12.5.6384 are vulnerable to Denial of Service (DoS) due to an out-of-bounds read involving section->num_pages in decode_r2007.c.

7.5
2024-01-02 CVE-2023-32886 Mediatek Out-of-bounds Write vulnerability in Mediatek Nr15, Nr16 and Nr17

In Modem IMS SMS UA, there is a possible out of bounds write due to a missing bounds check.

7.5
2024-01-02 CVE-2023-32887 Mediatek Out-of-bounds Write vulnerability in Mediatek Nr15, Nr16 and Nr17

In Modem IMS Stack, there is a possible system crash due to a missing bounds check.

7.5
2024-01-02 CVE-2023-32888 Mediatek Out-of-bounds Write vulnerability in Mediatek Nr15, Nr16 and Nr17

In Modem IMS Call UA, there is a possible out of bounds write due to a missing bounds check.

7.5
2024-01-02 CVE-2023-32889 Google Out-of-bounds Write vulnerability in Google Android 11.0/12.0/13.0

In Modem IMS Call UA, there is a possible out of bounds write due to a missing bounds check.

7.5
2024-01-02 CVE-2023-32890 Mediatek Improper Input Validation vulnerability in Mediatek products

In modem EMM, there is a possible system crash due to improper input validation.

7.5
2024-01-01 CVE-2023-50096 ST Classic Buffer Overflow vulnerability in ST X-Cube-Safea1 1.2.0

STMicroelectronics STSAFE-A1xx middleware before 3.3.7 allows MCU code execution if an adversary has the ability to read from and write to the I2C bus.

7.5
2024-01-01 CVE-2023-6064 Payhere Information Exposure Through Log Files vulnerability in Payhere Payment Gateway

The PayHere Payment Gateway WordPress plugin before 2.2.12 automatically creates publicly-accessible log files containing sensitive information when transactions occur.

7.5
2024-01-01 CVE-2023-6113 WP Staging Unspecified vulnerability in Wp-Staging WP Staging

The WP STAGING WordPress Backup Plugin before 3.1.3 and WP STAGING Pro WordPress Backup Plugin before 5.1.3 do not prevent visitors from leaking key information about ongoing backups processes, allowing unauthenticated attackers to download said backups later.

7.5
2024-01-01 CVE-2023-6271 Backupbliss Unspecified vulnerability in Backupbliss Backup Migration 1.3.4

The Backup Migration WordPress plugin before 1.3.6 stores in-progress backups information in easy to find, publicly-accessible files, which may allow attackers monitoring those to leak sensitive information from the site's backups.

7.5
2024-01-01 CVE-2023-6421 Wpdownloadmanager Insufficiently Protected Credentials vulnerability in Wpdownloadmanager Wordpress Download Manager

The Download Manager WordPress plugin before 3.2.83 does not protect file download's passwords, leaking it upon receiving an invalid one.

7.5
2024-01-06 CVE-2023-51441 Apache Server-Side Request Forgery (SSRF) vulnerability in Apache Axis

** UNSUPPORTED WHEN ASSIGNED ** Improper Input Validation vulnerability in Apache Axis allowed users with access to the admin service to perform possible SSRF This issue affects Apache Axis: through 1.3. As Axis 1 has been EOL we recommend you migrate to a different SOAP engine, such as Apache Axis 2/Java.

7.2
2024-01-05 CVE-2023-39294 Qnap OS Command Injection vulnerability in Qnap QTS and Quts Hero

An OS command injection vulnerability has been reported to affect several QNAP operating system versions.

7.2
2024-01-05 CVE-2023-45039 Qnap Classic Buffer Overflow vulnerability in Qnap QTS and Quts Hero

A buffer copy without checking size of input vulnerability has been reported to affect several QNAP operating system versions.

7.2
2024-01-05 CVE-2023-45040 Qnap Classic Buffer Overflow vulnerability in Qnap QTS and Quts Hero

A buffer copy without checking size of input vulnerability has been reported to affect several QNAP operating system versions.

7.2
2024-01-05 CVE-2023-45041 Qnap Classic Buffer Overflow vulnerability in Qnap QTS and Quts Hero

A buffer copy without checking size of input vulnerability has been reported to affect several QNAP operating system versions.

7.2
2024-01-05 CVE-2023-45042 Qnap Classic Buffer Overflow vulnerability in Qnap QTS and Quts Hero

A buffer copy without checking size of input vulnerability has been reported to affect several QNAP operating system versions.

7.2
2024-01-05 CVE-2023-45043 Qnap Classic Buffer Overflow vulnerability in Qnap QTS and Quts Hero

A buffer copy without checking size of input vulnerability has been reported to affect several QNAP operating system versions.

7.2
2024-01-05 CVE-2023-45044 Qnap Classic Buffer Overflow vulnerability in Qnap QTS and Quts Hero

A buffer copy without checking size of input vulnerability has been reported to affect several QNAP operating system versions.

7.2
2024-01-03 CVE-2023-50922 GL Inet Unrestricted Upload of File with Dangerous Type vulnerability in Gl-Inet products

An issue was discovered on GL.iNet devices through 4.5.0.

7.2
2024-01-04 CVE-2023-6270 Linux
Fedoraproject
Use After Free vulnerability in multiple products

A flaw was found in the ATA over Ethernet (AoE) driver in the Linux kernel.

7.0
2024-01-02 CVE-2023-33110 Qualcomm Race Condition vulnerability in Qualcomm products

The session index variable in PCM host voice audio driver initialized before PCM open, accessed during event callback from ADSP and reset during PCM close may lead to race condition between event callback - PCM close and reset session index causing memory corruption.

7.0

153 Medium Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2024-01-04 CVE-2023-3726 Ocsinventory NG Cross-site Scripting vulnerability in Ocsinventory-Ng Ocsinventory-Ocsreports 2.12.0

OCSInventory allow stored email template with special characters that lead to a Stored cross-site Scripting.

6.9
2024-01-03 CVE-2023-5138 Silabs Missing Initialization of Resource vulnerability in Silabs Gecko Software Development KIT

Glitch detection is not enabled by default for the CortexM33 core in Silicon Labs secure vault high parts EFx32xG2xB, except EFR32xG21B.

6.8
2024-01-03 CVE-2023-5879 Geniecompany Insecure Storage of Sensitive Information vulnerability in Geniecompany Aladdin Connect 5.65

Users’ product account authentication data was stored in clear text in The Genie Company Aladdin Connect Mobile Application Version 5.65 Build 2075 (and below) on Android Devices.

6.8
2024-01-02 CVE-2023-33014 Qualcomm Improper Input Validation vulnerability in Qualcomm products

Information disclosure in Core services while processing a Diag command.

6.8
2024-01-02 CVE-2024-0193 Linux
Redhat
Use After Free vulnerability in multiple products

A use-after-free flaw was found in the netfilter subsystem of the Linux kernel.

6.7
2024-01-02 CVE-2023-32872 Google Out-of-bounds Write vulnerability in Google Android 11.0/12.0/13.0

In keyInstall, there is a possible out of bounds write due to a missing bounds check.

6.7
2024-01-02 CVE-2023-32877 Google Out-of-bounds Write vulnerability in Google Android 12.0/13.0

In battery, there is a possible out of bounds write due to a missing bounds check.

6.7
2024-01-02 CVE-2023-32879 Google Out-of-bounds Write vulnerability in Google Android 12.0/13.0

In battery, there is a possible out of bounds write due to a missing bounds check.

6.7
2024-01-02 CVE-2023-32882 Google Out-of-bounds Write vulnerability in Google Android 12.0/13.0

In battery, there is a possible memory corruption due to a missing bounds check.

6.7
2024-01-02 CVE-2023-32883 Google Out-of-bounds Write vulnerability in Google Android 12.0/13.0

In Engineer Mode, there is a possible out of bounds write due to a missing bounds check.

6.7
2024-01-02 CVE-2023-32884 Google Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Google Android 12.0/13.0

In netdagent, there is a possible information disclosure due to an incorrect bounds check.

6.7
2024-01-02 CVE-2023-32885 Google Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Google Android 12.0/13.0

In display drm, there is a possible memory corruption due to a missing bounds check.

6.7
2024-01-02 CVE-2023-32891 Google
Mediatek
Out-of-bounds Write vulnerability in multiple products

In bluetooth service, there is a possible out of bounds write due to improper input validation.

6.7
2024-01-07 CVE-2024-0280 Kashipara SQL Injection vulnerability in Kashipara Food Management System

A vulnerability has been found in Kashipara Food Management System up to 1.0 and classified as critical.

6.5
2024-01-07 CVE-2024-0281 Kashipara SQL Injection vulnerability in Kashipara Food Management System

A vulnerability was found in Kashipara Food Management System up to 1.0 and classified as critical.

6.5
2024-01-07 CVE-2024-0278 Kashipara SQL Injection vulnerability in Kashipara Food Management System

A vulnerability, which was classified as critical, has been found in Kashipara Food Management System up to 1.0.

6.5
2024-01-07 CVE-2024-0279 Kashipara SQL Injection vulnerability in Kashipara Food Management System

A vulnerability, which was classified as critical, was found in Kashipara Food Management System up to 1.0.

6.5
2024-01-07 CVE-2024-0276 Kashipara SQL Injection vulnerability in Kashipara Food Management System

A vulnerability classified as critical has been found in Kashipara Food Management System up to 1.0.

6.5
2024-01-07 CVE-2024-0277 Kashipara SQL Injection vulnerability in Kashipara Food Management System

A vulnerability classified as critical was found in Kashipara Food Management System up to 1.0.

6.5
2024-01-07 CVE-2024-0274 Kashipara SQL Injection vulnerability in Kashipara Food Management System

A vulnerability was found in Kashipara Food Management System up to 1.0.

6.5
2024-01-07 CVE-2024-0275 Kashipara SQL Injection vulnerability in Kashipara Food Management System

A vulnerability was found in Kashipara Food Management System up to 1.0.

6.5
2024-01-07 CVE-2024-0272 Kashipara SQL Injection vulnerability in Kashipara Food Management System

A vulnerability was found in Kashipara Food Management System up to 1.0 and classified as critical.

6.5
2024-01-07 CVE-2024-0273 Kashipara SQL Injection vulnerability in Kashipara Food Management System

A vulnerability was found in Kashipara Food Management System up to 1.0.

6.5
2024-01-07 CVE-2024-0271 Kashipara SQL Injection vulnerability in Kashipara Food Management System

A vulnerability has been found in Kashipara Food Management System up to 1.0 and classified as critical.

6.5
2024-01-07 CVE-2024-0270 Kashipara SQL Injection vulnerability in Kashipara Food Management System

A vulnerability, which was classified as critical, was found in Kashipara Food Management System up to 1.0.

6.5
2024-01-06 CVE-2023-39853 Dzzoffice SQL Injection vulnerability in Dzzoffice 2.01

SQL Injection vulnerability in Dzzoffice version 2.01, allows remote attackers to obtain sensitive information via the doobj and doevent parameters in the Network Disk backend module.

6.5
2024-01-05 CVE-2023-51678 Doofinder Cross-Site Request Forgery (CSRF) vulnerability in Doofinder

Cross-Site Request Forgery (CSRF) vulnerability in Doofinder Doofinder WP & WooCommerce Search.This issue affects Doofinder WP & WooCommerce Search: from n/a through 2.0.33.

6.5
2024-01-04 CVE-2023-29962 S CMS Path Traversal vulnerability in S-Cms 5.0

S-CMS v5.0 was discovered to contain an arbitrary file read vulnerability.

6.5
2024-01-04 CVE-2023-6733 WP Members Project Missing Authorization vulnerability in Wp-Members Project Wp-Members

The WP-Members Membership Plugin plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.4.8 via the wpmem_field shortcode.

6.5
2024-01-04 CVE-2024-20803 Samsung Improper Authentication vulnerability in Samsung Android 11.0/12.0

Improper authentication vulnerability in Bluetooth pairing process prior to SMR Jan-2024 Release 1 allows remote attackers to establish pairing process without user interaction.

6.5
2024-01-03 CVE-2023-46742 Linuxfoundation Information Exposure Through Log Files vulnerability in Linuxfoundation Cubefs

CubeFS is an open-source cloud-native file storage system.

6.5
2024-01-03 CVE-2023-50253 LAF Information Exposure Through Log Files vulnerability in LAF

Laf is a cloud development platform.

6.5
2024-01-03 CVE-2024-21631 Vapor Integer Overflow or Wraparound vulnerability in Vapor

Vapor is an HTTP web framework for Swift.

6.5
2024-01-03 CVE-2023-30617 Openkruise Improper Privilege Management vulnerability in Openkruise Kruise

Kruise provides automated management of large-scale applications on Kubernetes.

6.5
2024-01-03 CVE-2023-46738 Linuxfoundation Allocation of Resources Without Limits or Throttling vulnerability in Linuxfoundation Cubefs

CubeFS is an open-source cloud-native file storage system.

6.5
2024-01-03 CVE-2023-7068 Webtoffee Missing Authorization vulnerability in Webtoffee Woocommerce PDF Invoices, Packing Slips, Delivery Notes and Shipping Labels

The WooCommerce PDF Invoices, Packing Slips, Delivery Notes and Shipping Labels plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on theprint_packinglist action in all versions up to, and including, 4.3.0.

6.5
2024-01-03 CVE-2023-50343 Hcltech Unspecified vulnerability in Hcltech Dryice Myxalytics 5.9/6.0/6.1

HCL DRYiCE MyXalytics is impacted by an Improper Access Control (Controller APIs) vulnerability.

6.5
2024-01-07 CVE-2024-0286 Phpgurukul Cross-site Scripting vulnerability in PHPgurukul Hospital Management System 1.0

A vulnerability, which was classified as problematic, was found in PHPGurukul Hospital Management System 1.0.

6.1
2024-01-07 CVE-2024-0284 Kashipara Cross-site Scripting vulnerability in Kashipara Food Management System

A vulnerability was found in Kashipara Food Management System up to 1.0.

6.1
2024-01-07 CVE-2024-0282 Kashipara Cross-site Scripting vulnerability in Kashipara Food Management System

A vulnerability was found in Kashipara Food Management System up to 1.0.

6.1
2024-01-07 CVE-2024-0283 Kashipara Cross-site Scripting vulnerability in Kashipara Food Management System

A vulnerability was found in Kashipara Food Management System up to 1.0.

6.1
2024-01-06 CVE-2023-50609 AVA Cross-site Scripting vulnerability in AVA Teaching Video Application Service Platform 3.1

Cross Site Scripting (XSS) vulnerability in AVA teaching video application service platform version 3.1, allows remote attackers to execute arbitrary code via a crafted script to ajax.aspx.

6.1
2024-01-05 CVE-2024-0246 Icewarp Cross-site Scripting vulnerability in Icewarp 12.0.2.1/12.0.3.1

A vulnerability classified as problematic has been found in IceWarp 12.0.2.1/12.0.3.1.

6.1
2024-01-05 CVE-2024-22075 Firefly III Cross-site Scripting vulnerability in Firefly-Iii Firefly III

Firefly III (aka firefly-iii) before 6.1.1 allows webhooks HTML Injection.

6.1
2024-01-04 CVE-2024-22048 GOV UK Cross-site Scripting vulnerability in Gov.Uk Govuk Tech Docs

govuk_tech_docs versions from 2.0.2 to before 3.3.1 are vulnerable to a cross-site scripting vulnerability.

6.1
2024-01-04 CVE-2024-21636 Viewcomponent Cross-site Scripting vulnerability in Viewcomponent View Component

view_component is a framework for building reusable, testable, and encapsulated view components in Ruby on Rails.

6.1
2024-01-04 CVE-2023-50630 Teamwork Management System Project Cross-site Scripting vulnerability in Teamwork Management System Project Teamwork Management System 2.28.0

Cross Site Scripting (XSS) vulnerability in xiweicheng TMS v.2.28.0 allows a remote attacker to execute arbitrary code via a crafted script to the click here function.

6.1
2024-01-04 CVE-2023-52322 Spip Cross-site Scripting vulnerability in Spip

ecrire/public/assembler.php in SPIP before 4.1.13 and 4.2.x before 4.2.7 allows XSS because input from _request() is not restricted to safe characters such as alphanumerics.

6.1
2024-01-03 CVE-2024-21908 Tiny Cross-site Scripting vulnerability in Tiny Tinymce

TinyMCE versions before 5.9.0 are affected by a stored cross-site scripting vulnerability.

6.1
2024-01-03 CVE-2024-21910 Tiny Cross-site Scripting vulnerability in Tiny Tinymce

TinyMCE versions before 5.10.0 are affected by a cross-site scripting vulnerability.

6.1
2024-01-03 CVE-2024-21911 Tiny Cross-site Scripting vulnerability in Tiny Tinymce

TinyMCE versions before 5.6.0 are affected by a stored cross-site scripting vulnerability.

6.1
2024-01-03 CVE-2023-50093 Apiida Injection vulnerability in Apiida API Gateway Manager 2023.02.02

APIIDA API Gateway Manager for Broadcom Layer7 v2023.2.2 is vulnerable to Host Header Injection.

6.1
2024-01-03 CVE-2023-50092 Apiida Cross-site Scripting vulnerability in Apiida API Gateway Manager 2023.02.02

APIIDA API Gateway Manager for Broadcom Layer7 v2023.2 is vulnerable to Cross Site Scripting (XSS).

6.1
2024-01-03 CVE-2023-6621 Wpexperts Cross-site Scripting vulnerability in Wpexperts Post Smtp

The POST SMTP WordPress plugin before 2.8.7 does not sanitise and escape the msg parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.

6.1
2024-01-03 CVE-2023-6629 Wpexperts Cross-site Scripting vulnerability in Wpexperts Post Smtp

The POST SMTP Mailer – Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘msg’ parameter in all versions up to, and including, 2.8.6 due to insufficient input sanitization and output escaping.

6.1
2024-01-03 CVE-2023-50345 Hcltech Open Redirect vulnerability in Hcltech Dryice Myxalytics 5.9/6.0/6.1

HCL DRYiCE MyXalytics is impacted by an Open Redirect vulnerability which could allow an attacker to redirect users to malicious sites, potentially leading to phishing attacks or other security threats.

6.1
2024-01-02 CVE-2024-21628 Prestashop Cross-site Scripting vulnerability in Prestashop

PrestaShop is an open-source e-commerce platform.

6.1
2024-01-02 CVE-2024-21627 Prestashop Cross-site Scripting vulnerability in Prestashop

PrestaShop is an open-source e-commerce platform.

6.1
2024-01-02 CVE-2023-51652 Spassarop Cross-site Scripting vulnerability in Spassarop Owasp Antisamy .Net

OWASP AntiSamy .NET is a library for performing cleansing of HTML coming from untrusted sources.

6.1
2024-01-02 CVE-2018-25097 Acumos Cross-site Scripting vulnerability in Acumos Design Studio

A vulnerability, which was classified as problematic, was found in Acumos Design Studio up to 2.0.7.

6.1
2024-01-02 CVE-2015-10128 Royaltechbd Cross-site Scripting vulnerability in Royaltechbd Royal Prettyphoto 1.2

A vulnerability was found in rt-prettyphoto Plugin up to 1.2 on WordPress and classified as problematic.

6.1
2024-01-02 CVE-2023-26159 Follow Redirects Open Redirect vulnerability in Follow-Redirects Follow Redirects

Versions of the package follow-redirects before 1.15.4 are vulnerable to Improper Input Validation due to the improper handling of URLs by the url.parse() function.

6.1
2024-01-01 CVE-2023-6000 Sygnoos Cross-site Scripting vulnerability in Sygnoos Popup Builder

The Popup Builder WordPress plugin before 4.2.3 does not prevent simple visitors from updating existing popups, and injecting raw JavaScript in them, which could lead to Stored XSS attacks.

6.1
2024-01-01 CVE-2024-21732 Flycms Project Cross-site Scripting vulnerability in Flycms Project Flycms 1.0

FlyCms through abbaa5a allows XSS via the permission management feature.

6.1
2024-01-05 CVE-2023-52323 Pycryptodome Information Exposure Through Discrepancy vulnerability in Pycryptodome and Pycryptodomex

PyCryptodome and pycryptodomex before 3.19.1 allow side-channel leakage for OAEP decryption, exploitable for a Manger attack.

5.9
2024-01-03 CVE-2023-46739 Linuxfoundation Information Exposure Through Discrepancy vulnerability in Linuxfoundation Cubefs

CubeFS is an open-source cloud-native file storage system.

5.9
2024-01-02 CVE-2023-50019 Open5Gs Improper Handling of Exceptional Conditions vulnerability in Open5Gs 2.6.6

An issue was discovered in open5gs v2.6.6.

5.9
2024-01-06 CVE-2023-50121 Autelrobotics Unspecified vulnerability in Autelrobotics EVO Nano Drone Firmware 1.6.5

Autel EVO NANO drone flight control firmware version 1.6.5 is vulnerable to denial of service (DoS).

5.7
2024-01-04 CVE-2023-6944 Redhat
Linuxfoundation
Information Exposure Through an Error Message vulnerability in multiple products

A flaw was found in the Red Hat Developer Hub (RHDH).

5.7
2024-01-05 CVE-2023-34323 XEN NULL Pointer Dereference vulnerability in XEN

When a transaction is committed, C Xenstored will first check the quota is correct before attempting to commit any nodes.

5.5
2024-01-05 CVE-2023-34327 XEN Unspecified vulnerability in XEN

[This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] AMD CPUs since ~2014 have extensions to normal x86 debugging functionality. Xen supports guests using these extensions. Unfortunately there are errors in Xen's handling of the guest state, leading to denials of service. 1) CVE-2023-34327 - An HVM vCPU can end up operating in the context of a previous vCPUs debug mask state. 2) CVE-2023-34328 - A PV vCPU can place a breakpoint over the live GDT. This allows the PV vCPU to exploit XSA-156 / CVE-2015-8104 and lock up the CPU entirely.

5.5
2024-01-05 CVE-2023-34328 XEN Unspecified vulnerability in XEN

[This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] AMD CPUs since ~2014 have extensions to normal x86 debugging functionality. Xen supports guests using these extensions. Unfortunately there are errors in Xen's handling of the guest state, leading to denials of service. 1) CVE-2023-34327 - An HVM vCPU can end up operating in the context of a previous vCPUs debug mask state. 2) CVE-2023-34328 - A PV vCPU can place a breakpoint over the live GDT. This allows the PV vCPU to exploit XSA-156 / CVE-2015-8104 and lock up the CPU entirely.

5.5
2024-01-05 CVE-2023-46835 XEN Unspecified vulnerability in XEN

The current setup of the quarantine page tables assumes that the quarantine domain (dom_io) has been initialized with an address width of DEFAULT_DOMAIN_ADDRESS_WIDTH (48) and hence 4 page table levels. However dom_io being a PV domain gets the AMD-Vi IOMMU page tables levels based on the maximum (hot pluggable) RAM address, and hence on systems with no RAM above the 512GB mark only 3 page-table levels are configured in the IOMMU. On systems without RAM above the 512GB boundary amd_iommu_quarantine_init() will setup page tables for the scratch page with 4 levels, while the IOMMU will be configured to use 3 levels only, resulting in the last page table directory (PDE) effectively becoming a page table entry (PTE), and hence a device in quarantine mode gaining write access to the page destined to be a PDE. Due to this page table level mismatch, the sink page the device gets read/write access to is no longer cleared between device assignment, possibly leading to data leaks.

5.5
2024-01-04 CVE-2023-6992 Cloudflare Out-of-bounds Write vulnerability in Cloudflare Zlib

Cloudflare version of zlib library was found to be vulnerable to memory corruption issues affecting the deflation algorithm implementation (deflate.c).

5.5
2024-01-04 CVE-2023-41784 ZTE Unspecified vulnerability in ZTE RED Magic 8 PRO Firmware Gencnnx729Jv1.0.0B21Mr

Permissions and Access Control Vulnerability in ZTE Red Magic 8 Pro

5.5
2024-01-04 CVE-2024-20802 Samsung Unspecified vulnerability in Samsung DEX

Improper access control vulnerability in Samsung DeX prior to SMR Jan-2024 Release 1 allows owner to access other users&#39; notification in a multi-user environment.

5.5
2024-01-04 CVE-2024-20804 Samsung Path Traversal vulnerability in Samsung Android 11.0/12.0

Path traversal vulnerability in FileUriConverter of MyFiles prior to SMR Jan-2024 Release 1 in Android 11 and Android 12, and version 14.5.00.21 in Android 13 allows attackers to write arbitrary file.

5.5
2024-01-04 CVE-2024-20805 Samsung Path Traversal vulnerability in Samsung Android 11.0/12.0

Path traversal vulnerability in ZipCompressor of MyFiles prior to SMR Jan-2024 Release 1 in Android 11 and Android 12, and version 14.5.00.21 in Android 13 allows attackers to write arbitrary file.

5.5
2024-01-04 CVE-2024-20806 Samsung Unspecified vulnerability in Samsung Android 11.0/12.0

Improper access control in Notification service prior to SMR Jan-2024 Release 1 allows local attacker to access notification data.

5.5
2024-01-04 CVE-2024-20808 Samsung Unspecified vulnerability in Samsung Nearby Device Scanning

Improper access control vulnerability in Nearby device scanning prior version 11.1.14.7 allows local attacker to access data.

5.5
2024-01-04 CVE-2024-20809 Samsung Unspecified vulnerability in Samsung Nearby Device Scanning

Improper access control vulnerability in Nearby device scanning prior version 11.1.14.7 allows local attacker to access data.

5.5
2024-01-03 CVE-2023-41779 ZTE Incorrect Authorization vulnerability in ZTE Zxcloud Irai Firmware

There is an illegal memory access vulnerability of ZTE's ZXCLOUD iRAI product.When the vulnerability is exploited by an attacker with the common user permission, the physical machine will be crashed.

5.5
2024-01-03 CVE-2023-49554 Yasm Project Use After Free vulnerability in Yasm Project Yasm 1.3.0.86.G9Def

Use After Free vulnerability in YASM 1.3.0.86.g9def allows a remote attacker to cause a denial of service via the do_directive function in the modules/preprocs/nasm/nasm-pp.c component.

5.5
2024-01-03 CVE-2023-49555 Yasm Project Unspecified vulnerability in Yasm Project Yasm 1.3.0.86.G9Def

An issue in YASM 1.3.0.86.g9def allows a remote attacker to cause a denial of service via the expand_smacro function in the modules/preprocs/nasm/nasm-pp.c component.

5.5
2024-01-03 CVE-2023-49556 Yasm Project Unspecified vulnerability in Yasm Project Yasm 1.3.0.86.G9Def

Buffer Overflow vulnerability in YASM 1.3.0.86.g9def allows a remote attacker to cause a denial of service via the expr_delete_term function in the libyasm/expr.c component.

5.5
2024-01-03 CVE-2023-49557 Yasm Project Unspecified vulnerability in Yasm Project Yasm 1.3.0.86.G9Def

An issue in YASM 1.3.0.86.g9def allows a remote attacker to cause a denial of service via the yasm_section_bcs_first function in the libyasm/section.c component.

5.5
2024-01-03 CVE-2023-49558 Yasm Project Unspecified vulnerability in Yasm Project Yasm 1.3.0.86.G9Def

An issue in YASM 1.3.0.86.g9def allows a remote attacker to cause a denial of service via the expand_mmac_params function in the modules/preprocs/nasm/nasm-pp.c component.

5.5
2024-01-02 CVE-2023-4164 Google Missing Authorization vulnerability in Google Android

There is a possible information disclosure due to a missing permission check.

5.5
2024-01-02 CVE-2023-47216 Openharmony Missing Release of Resource after Effective Lifetime vulnerability in Openharmony

in OpenHarmony v3.2.2 and prior versions allow a local attacker cause DOS through occupy all resources

5.5
2024-01-02 CVE-2023-47857 Openharmony Use After Free vulnerability in Openharmony

in OpenHarmony v3.2.2 and prior versions allow a local attacker cause multimedia camera crash through modify a released pointer.

5.5
2024-01-02 CVE-2023-48360 Openharmony Use After Free vulnerability in Openharmony

in OpenHarmony v3.2.2 and prior versions allow a local attacker cause multimedia player crash through modify a released pointer.

5.5
2024-01-02 CVE-2023-49135 Openharmony Use After Free vulnerability in Openharmony

in OpenHarmony v3.2.2 and prior versions allow a local attacker cause multimedia player crash through modify a released pointer.

5.5
2024-01-02 CVE-2023-33036 Qualcomm NULL Pointer Dereference vulnerability in Qualcomm products

Permanent DOS in Hypervisor while untrusted VM without PSCI support makes a PSCI call.

5.5
2024-01-02 CVE-2023-33037 Qualcomm Missing Encryption of Sensitive Data vulnerability in Qualcomm products

Cryptographic issue in Automotive while unwrapping the key secs2d and verifying with RPMB data.

5.5
2024-01-02 CVE-2023-32831 Mediatek Use of Insufficiently Random Values vulnerability in Mediatek Software Development KIT

In wlan driver, there is a possible PIN crack due to use of insufficiently random values.

5.5
2024-01-07 CVE-2024-0266 Yugeshverma Cross-site Scripting vulnerability in Yugeshverma Online Lawyer Management System 1.0

A vulnerability classified as problematic has been found in Project Worlds Online Lawyer Management System 1.0.

5.4
2024-01-06 CVE-2023-6798 Themeisle Missing Authorization vulnerability in Themeisle RSS Aggregator BY Feedzy

The RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator plugin for WordPress is vulnerable to unauthorized settings update due to a missing capability check when updating settings in all versions up to, and including, 4.3.2.

5.4
2024-01-06 CVE-2023-6801 Themeisle Cross-site Scripting vulnerability in Themeisle RSS Aggregator BY Feedzy

The RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 4.3.2 due to insufficient input sanitization and output escaping.

5.4
2024-01-05 CVE-2023-47559 Qnap Cross-site Scripting vulnerability in Qnap Qumagie 2.2.0

A cross-site scripting (XSS) vulnerability has been reported to affect QuMagie.

5.4
2024-01-05 CVE-2023-52124 Shapedplugin Cross-site Scripting vulnerability in Shapedplugin WP Tabs

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ShapedPlugin LLC WP Tabs – Responsive Tabs Plugin for WordPress allows Stored XSS.This issue affects WP Tabs – Responsive Tabs Plugin for WordPress: from n/a through 2.2.0.

5.4
2024-01-05 CVE-2023-52125 Iframe Project Cross-site Scripting vulnerability in Iframe Project Iframe

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in webvitaly iframe allows Stored XSS.This issue affects iframe: from n/a through 4.8.

5.4
2024-01-05 CVE-2023-52178 Mojofywp Cross-site Scripting vulnerability in Mojofywp WP Affiliate Disclosure

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in MojofyWP WP Affiliate Disclosure allows Stored XSS.This issue affects WP Affiliate Disclosure: from n/a through 1.2.7.

5.4
2024-01-04 CVE-2023-6551 Verot Unrestricted Upload of File with Dangerous Type vulnerability in Verot Class.Upload.PHP

As a simple library, class.upload.php does not perform an in-depth check on uploaded files, allowing a stored XSS vulnerability when the default configuration is used.

5.4
2024-01-04 CVE-2023-7044 Wpdeveloper Cross-site Scripting vulnerability in Wpdeveloper Essential Addons for Elementor

The Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders plugin for WordPress is vulnerable to Stored Cross-Site Scripting via custom ID in all versions up to, and including, 5.9.2 due to insufficient input sanitization and output escaping.

5.4
2024-01-04 CVE-2023-6738 Pagelayer Cross-site Scripting vulnerability in Pagelayer

The Page Builder: Pagelayer – Drag and Drop website builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'pagelayer_header_code', 'pagelayer_body_open_code', and 'pagelayer_footer_code' meta fields in all versions up to, and including, 1.7.8 due to insufficient input sanitization and output escaping on user supplied attributes.

5.4
2024-01-03 CVE-2023-6747 Fooplugins Cross-site Scripting vulnerability in Fooplugins Foogallery

The Best WordPress Gallery Plugin – FooGallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the custom attributes in all versions up to, and including, 2.3.3 due to insufficient input sanitization and output escaping.

5.4
2024-01-03 CVE-2023-6986 Wpdeveloper Cross-site Scripting vulnerability in Wpdeveloper Embedpress

The EmbedPress – Embed PDF, YouTube, Google Docs, Vimeo, Wistia Videos, Audios, Maps & Any Documents in Gutenberg & Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's embed_oembed_html shortcode in all versions up to 3.9.5 (exclusive) due to insufficient input sanitization and output escaping on user supplied attributes.

5.4
2024-01-03 CVE-2023-6524 Mappresspro Cross-site Scripting vulnerability in Mappresspro Mappress

The MapPress Maps for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the map title parameter in all versions up to and including 2.88.13 due to insufficient input sanitization and output escaping.

5.4
2024-01-03 CVE-2023-6600 Daan Cross-site Scripting vulnerability in Daan Omgf

The OMGF | GDPR/DSGVO Compliant, Faster Google Fonts.

5.4
2024-01-03 CVE-2023-7027 Wpexperts Cross-site Scripting vulnerability in Wpexperts Post Smtp

The POST SMTP Mailer – Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘device’ header in all versions up to, and including, 2.8.7 due to insufficient input sanitization and output escaping.

5.4
2024-01-03 CVE-2023-50344 Hcltech Unspecified vulnerability in Hcltech Dryice Myxalytics 5.9/6.0/6.1

HCL DRYiCE MyXalytics is impacted by improper access control (Unauthenticated File Download) vulnerability.

5.4
2024-01-02 CVE-2024-0192 NIA Unrestricted Upload of File with Dangerous Type vulnerability in NIA RRJ Nueva Ecija Engineer Online Portal 1.0

A vulnerability was found in RRJ Nueva Ecija Engineer Online Portal 1.0.

5.4
2024-01-02 CVE-2024-0190 NIA Cross-site Scripting vulnerability in NIA RRJ Nueva Ecija Engineer Online Portal 1.0

A vulnerability was found in RRJ Nueva Ecija Engineer Online Portal 1.0 and classified as problematic.

5.4
2024-01-02 CVE-2024-0189 NIA Cross-site Scripting vulnerability in NIA RRJ Nueva Ecija Engineer Online Portal 1.0

A vulnerability has been found in RRJ Nueva Ecija Engineer Online Portal 1.0 and classified as problematic.

5.4
2024-01-01 CVE-2023-6485 Bplugins Cross-site Scripting vulnerability in Bplugins Html5 Video Player

The Html5 Video Player WordPress plugin before 2.5.19 does not sanitise and escape some of its player settings, which combined with missing capability checks around the plugin could allow any authenticated users, such as low as subscribers to perform Stored Cross-Site Scripting attacks against high privilege users like admins

5.4
2024-01-05 CVE-2023-52126 Sumanbhattarai Unspecified vulnerability in Sumanbhattarai Send Users Email

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Suman Bhattarai Send Users Email.This issue affects Send Users Email: from n/a through 1.4.3.

5.3
2024-01-05 CVE-2023-52146 Ajexperience Information Exposure Through Log Files vulnerability in Ajexperience 404 Solution

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Aaron J 404 Solution.This issue affects 404 Solution: from n/a through 2.33.0.

5.3
2024-01-05 CVE-2023-52148 Wpaffiliatemanager Unspecified vulnerability in Wpaffiliatemanager Affiliates Manager

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in wp.Insider, wpaffiliatemgr Affiliates Manager.This issue affects Affiliates Manager: from n/a through 2.9.30.

5.3
2024-01-05 CVE-2023-52151 Uncannyowl Unspecified vulnerability in Uncannyowl Uncanny Automator

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Uncanny Automator, Uncanny Owl Uncanny Automator – Automate everything with the #1 no-code automation and integration plugin.This issue affects Uncanny Automator – Automate everything with the #1 no-code automation and integration plugin: from n/a through 5.1.0.2.

5.3
2024-01-04 CVE-2024-22049 John Nunemaker Exposure of Resource to Wrong Sphere vulnerability in John Nunemaker Httparty

httparty before 0.21.0 is vulnerable to an assumed-immutable web parameter vulnerability.

5.3
2024-01-03 CVE-2023-50348 Hcltech Unspecified vulnerability in Hcltech Dryice Myxalytics 5.9/6.0/6.1

HCL DRYiCE MyXalytics is impacted by an improper error handling vulnerability.

5.3
2024-01-02 CVE-2023-45561 Linecorp Unspecified vulnerability in Linecorp Line 13.6.1

An issue in A-WORLD OIRASE BEER_waiting Line v.13.6.1 allows attackers to send crafted notifications via leakage of the channel access token.

5.3
2024-01-02 CVE-2024-0191 NIA File and Directory Information Exposure vulnerability in NIA RRJ Nueva Ecija Engineer Online Portal 1.0

A vulnerability was found in RRJ Nueva Ecija Engineer Online Portal 1.0.

5.3
2024-01-02 CVE-2023-6693 Qemu
Redhat
Out-of-bounds Write vulnerability in multiple products

A stack based buffer overflow was found in the virtio-net device of QEMU.

5.3
2024-01-05 CVE-2023-34324 XEN
Linux
Resource Exhaustion vulnerability in multiple products

Closing of an event channel in the Linux kernel can result in a deadlock. This happens when the close is being performed in parallel to an unrelated Xen console action and the handling of a Xen console interrupt in an unprivileged guest. The closing of an event channel is e.g.

4.9
2024-01-03 CVE-2023-6981 Veronalabs SQL Injection vulnerability in Veronalabs WP SMS

The WP SMS – Messaging & SMS Notification for WordPress, WooCommerce, GravityForms, etc plugin for WordPress is vulnerable to SQL Injection via the 'group_id' parameter in all versions up to, and including, 6.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query.

4.9
2024-01-07 CVE-2024-0262 Projectworlds Cross-site Scripting vulnerability in Projectworlds Online JOB Portal 1.0

A vulnerability was found in Online Job Portal 1.0 and classified as problematic.

4.8
2024-01-05 CVE-2023-41782 ZTE Uncontrolled Search Path Element vulnerability in ZTE Zxcloud Irai Firmware

There is a DLL hijacking vulnerability in ZTE ZXCLOUD iRAI, an attacker could place a fake DLL file in a specific directory and successfully exploit this vulnerability to execute malicious code.

4.8
2024-01-04 CVE-2023-6498 Really Simple Plugins Cross-site Scripting vulnerability in Really-Simple-Plugins Complianz

The Complianz – GDPR/CCPA Cookie Consent plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to and including 6.5.5 due to insufficient input sanitization and output escaping.

4.8
2024-01-03 CVE-2023-6004 Libssh
Redhat
Fedoraproject
Injection vulnerability in multiple products

A flaw was found in libssh.

4.8
2024-01-02 CVE-2024-0184 NIA Cross-site Scripting vulnerability in NIA RRJ Nueva Ecija Engineer Online Portal 1.0

A vulnerability was found in RRJ Nueva Ecija Engineer Online Portal 1.0.

4.8
2024-01-01 CVE-2024-0183 NIA Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in NIA RRJ Nueva Ecija Engineer Online Portal 1.0

A vulnerability was found in RRJ Nueva Ecija Engineer Online Portal 1.0.

4.8
2024-01-01 CVE-2024-0181 NIA Cross-site Scripting vulnerability in NIA RRJ Nueva Ecija Engineer Online Portal 1.0

A vulnerability was found in RRJ Nueva Ecija Engineer Online Portal 1.0.

4.8
2024-01-01 CVE-2023-6037 Ljapps Cross-site Scripting vulnerability in Ljapps WP Tripadvisor Review Slider

The WP TripAdvisor Review Slider WordPress plugin before 11.9 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

4.8
2024-01-05 CVE-2024-21641 Flarum Open Redirect vulnerability in Flarum

Flarum is open source discussion platform software.

4.7
2024-01-05 CVE-2023-46836 XEN Unspecified vulnerability in XEN

The fixes for XSA-422 (Branch Type Confusion) and XSA-434 (Speculative Return Stack Overflow) are not IRQ-safe.

4.7
2024-01-02 CVE-2017-20188 Zimbra Cross-site Scripting vulnerability in Zimbra Zm-Ajax

A vulnerability has been found in Zimbra zm-ajax up to 8.8.1 and classified as problematic.

4.7
2024-01-04 CVE-2022-3864 Hitachienergy Improper Verification of Cryptographic Signature vulnerability in Hitachienergy products

A vulnerability exists in the Relion update package signature validation.

4.5
2024-01-02 CVE-2023-7192 Linux
Redhat
Memory Leak vulnerability in multiple products

A memory leak problem was found in ctnetlink_create_conntrack in net/netfilter/nf_conntrack_netlink.c in the Linux Kernel.

4.4
2024-01-02 CVE-2023-32875 Google Out-of-bounds Read vulnerability in Google Android 11.0/12.0/13.0

In keyInstall, there is a possible information disclosure due to a missing bounds check.

4.4
2024-01-02 CVE-2023-32876 Google Out-of-bounds Read vulnerability in Google Android 11.0/12.0/13.0

In keyInstall, there is a possible information disclosure due to a missing bounds check.

4.4
2024-01-02 CVE-2023-32878 Google Out-of-bounds Read vulnerability in Google Android 12.0/13.0

In battery, there is a possible information disclosure due to a missing bounds check.

4.4
2024-01-02 CVE-2023-32880 Google Out-of-bounds Read vulnerability in Google Android 12.0/13.0

In battery, there is a possible information disclosure due to a missing bounds check.

4.4
2024-01-02 CVE-2023-32881 Google Integer Overflow or Wraparound vulnerability in Google Android 12.0/13.0

In battery, there is a possible information disclosure due to an integer overflow.

4.4
2024-01-05 CVE-2023-6493 Averta Cross-Site Request Forgery (CSRF) vulnerability in Averta Depicter Slider

The Depicter Slider – Responsive Image Slider, Video Slider & Post Slider plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.0.6.

4.3
2024-01-03 CVE-2024-0201 Webcodingplace Missing Authorization vulnerability in Webcodingplace Product Expiry for Woocommerce

The Product Expiry for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'save_settings' function in versions up to, and including, 2.5.

4.3
2024-01-03 CVE-2023-6984 Ideabox Cross-Site Request Forgery (CSRF) vulnerability in Ideabox Powerpack Addons for Elementor

The PowerPack Addons for Elementor (Free Widgets, Extensions and Templates) plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.7.13.

4.3
2024-01-03 CVE-2023-6980 Veronalabs Cross-site Scripting vulnerability in Veronalabs WP SMS

The WP SMS – Messaging & SMS Notification for WordPress, WooCommerce, GravityForms, etc plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 6.5.

4.3
2024-01-03 CVE-2023-50342 Hcltech Authorization Bypass Through User-Controlled Key vulnerability in Hcltech Dryice Myxalytics 5.9/6.0/6.1

HCL DRYiCE MyXalytics is impacted by an Insecure Direct Object Reference (IDOR) vulnerability.

4.3
2024-01-03 CVE-2023-50346 Hcltech Unspecified vulnerability in Hcltech Dryice Myxalytics 5.9/6.0/6.1

HCL DRYiCE MyXalytics is impacted by an information disclosure vulnerability.

4.3
2024-01-02 CVE-2023-47858 Mattermost Unspecified vulnerability in Mattermost Server

Mattermost fails to properly verify the permissions needed for viewing archived public channels,  allowing a member of one team to get details about the archived public channels of another team via the GET /api/v4/teams/<team-id>/channels/deleted endpoint.

4.3
2024-01-02 CVE-2023-48732 Mattermost Unspecified vulnerability in Mattermost Server

Mattermost fails to scope the WebSocket response around notified users to a each user separately resulting in the WebSocket broadcasting the information about who was notified about a post to everyone else in the channel.

4.3
2024-01-02 CVE-2023-50333 Mattermost Unspecified vulnerability in Mattermost Server

Mattermost fails to update the permissions of the current session for a user who was just demoted to guest, allowing freshly demoted guests to change group names.

4.3

9 Low Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2024-01-02 CVE-2020-26623 Gilacms SQL Injection vulnerability in Gilacms Gila CMS

SQL Injection vulnerability discovered in Gila CMS 1.15.4 and earlier allows a remote attacker to execute arbitrary web scripts via the Area parameter under the Administration>Widget tab after the login portal.

3.8
2024-01-02 CVE-2020-26624 Gilacms SQL Injection vulnerability in Gilacms Gila CMS

A SQL injection vulnerability was discovered in Gila CMS 1.15.4 and earlier which allows a remote attacker to execute arbitrary web scripts via the ID parameter after the login portal.

3.8
2024-01-02 CVE-2020-26625 Gilacms SQL Injection vulnerability in Gilacms Gila CMS

A SQL injection vulnerability was discovered in Gila CMS 1.15.4 and earlier which allows a remote attacker to execute arbitrary web scripts via the 'user_id' parameter after the login portal.

3.8
2024-01-05 CVE-2023-34321 XEN Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in XEN

Arm provides multiple helpers to clean & invalidate the cache for a given region.

3.3
2024-01-05 CVE-2023-46837 XEN Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in XEN

Arm provides multiple helpers to clean & invalidate the cache for a given region.

3.3
2024-01-04 CVE-2024-20807 Samsung Unspecified vulnerability in Samsung Email 6.1.82.0

Implicit intent hijacking vulnerability in Samsung Email prior to version 6.1.90.16 allows attacker to get sensitive information.

3.3
2024-01-03 CVE-2024-0217 Packagekit Project
Redhat
Fedoraproject
Use After Free vulnerability in multiple products

A use-after-free flaw was found in PackageKitd.

3.3
2024-01-02 CVE-2023-49142 Openharmony Use After Free vulnerability in Openharmony

in OpenHarmony v3.2.2 and prior versions allow a local attacker cause multimedia audio crash through modify a released pointer.

3.3
2024-01-04 CVE-2024-22047 Collectiveidea Race Condition vulnerability in Collectiveidea Audited

A race condition exists in Audited 4.0.0 to 5.3.3 that can result in an authenticated user to cause audit log entries to be attributed to another user.

3.1