Weekly Vulnerabilities Reports > January 22 to 28, 2024

Overview

489 new vulnerabilities reported during this period, including 96 critical vulnerabilities and 144 high severity vulnerabilities. This weekly summary report vulnerabilities in 415 products from 204 vendors including Ajaysharma, Trendmicro, Apple, Linecorp, and Mozilla. Vulnerabilities are notably categorized as "Cross-site Scripting", "Command Injection", "Out-of-bounds Write", "Path Traversal", and "SQL Injection".

  • 400 reported vulnerabilities are remotely exploitables.
  • 2 reported vulnerabilities have public exploit available.
  • 190 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
  • 318 reported vulnerabilities are exploitable by an anonymous user.
  • Ajaysharma has the most reported vulnerabilities, with 41 reported vulnerabilities.
  • Tendacn has the most reported critical vulnerabilities, with 10 reported vulnerabilities.

TOTAL
VULNERABILITIES
CRITICAL RISK
VULNERABILITIES
HIGH RISK
VULNERABILITIES
MEDIUM RISK
VULNERABILITIES
LOW RISK
VULNERABILITIES
REMOTELY
EXPLOITABLE
LOCALLY
EXPLOITABLE
EXPLOIT
AVAILABLE
EXPLOITABLE
ANONYMOUSLY
AFFECTING
WEB APPLICATION

Vulnerability Details

The following table list reported vulnerabilities for the period covered by this report:

Expand/Hide

96 Critical Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2024-01-26 CVE-2024-20253 Cisco Unspecified vulnerability in Cisco products

A vulnerability in multiple Cisco Unified Communications and Contact Center Solutions products could allow an unauthenticated, remote attacker to execute arbitrary code on an affected device.

10.0
2024-01-26 CVE-2024-0402 Gitlab Path Traversal vulnerability in Gitlab

An issue has been discovered in GitLab CE/EE affecting all versions from 16.0 prior to 16.6.6, 16.7 prior to 16.7.4, and 16.8 prior to 16.8.1 which allows an authenticated user to write files to arbitrary locations on the GitLab server while creating a workspace.

9.9
2024-01-28 CVE-2024-23740 Getkap Unspecified vulnerability in Getkap KAP

An issue in Kap for macOS version 3.6.0 and before, allows remote attackers to execute arbitrary code via the RunAsNode and enableNodeClilnspectArguments settings.

9.8
2024-01-28 CVE-2024-23739 Discord Unspecified vulnerability in Discord 0.0.291

An issue in Discord for macOS version 0.0.291 and before, allows remote attackers to execute arbitrary code via the RunAsNode and enableNodeClilnspectArguments settings.

9.8
2024-01-28 CVE-2024-23741 Hyper Unspecified vulnerability in Hyper 3.4.1

An issue in Hyper on macOS version 3.4.1 and before, allows remote attackers to execute arbitrary code via the RunAsNode and enableNodeClilnspectArguments settings.

9.8
2024-01-28 CVE-2024-23742 Loom Unspecified vulnerability in Loom 0.196.1

An issue in Loom on macOS version 0.196.1 and before, allows remote attackers to execute arbitrary code via the RunAsNode and enableNodeClilnspectArguments settings.

9.8
2024-01-28 CVE-2024-23738 Postman Unspecified vulnerability in Postman

An issue in Postman version 10.22 and before on macOS allows a remote attacker to execute arbitrary code via the RunAsNode and enableNodeClilnspectArguments settings.

9.8
2024-01-27 CVE-2024-0960 Flink Extended Deserialization of Untrusted Data vulnerability in Flink-Extended Aiflow 0.3.1

A vulnerability was found in flink-extended ai-flow 0.3.1.

9.8
2024-01-27 CVE-2024-0959 Standford Deserialization of Untrusted Data vulnerability in Standford Gibsonenv 0.3.1

A vulnerability was found in StanfordVL GibsonEnv 0.3.1.

9.8
2024-01-27 CVE-2024-22860 Ffmpeg Integer Overflow or Wraparound vulnerability in Ffmpeg

Integer overflow vulnerability in FFmpeg before n6.1, allows remote attackers to execute arbitrary code via the jpegxl_anim_read_packet component in the JPEG XL Animation decoder.

9.8
2024-01-27 CVE-2024-22862 Ffmpeg Integer Overflow or Wraparound vulnerability in Ffmpeg

Integer overflow vulnerability in FFmpeg before n6.1, allows remote attackers to execute arbitrary code via the JJPEG XL Parser.

9.8
2024-01-27 CVE-2023-52389 Pocoproject Integer Overflow or Wraparound vulnerability in Pocoproject Poco

UTF32Encoding.cpp in POCO has a Poco::UTF32Encoding integer overflow and resultant stack buffer overflow because Poco::UTF32Encoding::convert() and Poco::UTF32::queryConvert() may return a negative integer if a UTF-32 byte sequence evaluates to a value of 0x80000000 or higher.

9.8
2024-01-26 CVE-2024-0945 60Indexpage Project Server-Side Request Forgery (SSRF) vulnerability in 60Indexpage Project 60Indexpage

A vulnerability classified as critical has been found in 60IndexPage up to 1.8.5.

9.8
2024-01-26 CVE-2024-0946 60Indexpage Project Server-Side Request Forgery (SSRF) vulnerability in 60Indexpage Project 60Indexpage

A vulnerability classified as critical was found in 60IndexPage up to 1.8.5.

9.8
2024-01-26 CVE-2024-0939 Byzoro Unrestricted Upload of File with Dangerous Type vulnerability in Byzoro Smart S210 Firmware 20231121

A vulnerability has been found in Byzoro Smart S210 Management Platform up to 20240117 and classified as critical.

9.8
2024-01-26 CVE-2024-0941 Xxyopen SQL Injection vulnerability in Xxyopen Novel-Plus 4.3.0

A vulnerability was found in Novel-Plus 4.3.0-RC1 and classified as critical.

9.8
2024-01-26 CVE-2024-0937 Vanderschaarlab Deserialization of Untrusted Data vulnerability in Vanderschaarlab Temporai 0.2.9

A vulnerability, which was classified as critical, has been found in van_der_Schaar LAB synthcity 0.2.9.

9.8
2024-01-26 CVE-2024-0938 Tongda2000 SQL Injection vulnerability in Tongda2000 Office Anywhere 2017 11.9

A vulnerability, which was classified as critical, was found in Tongda OA 2017 up to 11.9.

9.8
2024-01-26 CVE-2024-0931 Tendacn Stack-based Buffer Overflow vulnerability in Tendacn Ac10U Firmware 15.03.06.49Multitde01

A vulnerability classified as critical was found in Tenda AC10U 15.03.06.49_multi_TDE01.

9.8
2024-01-26 CVE-2024-0932 Tendacn Stack-based Buffer Overflow vulnerability in Tendacn Ac10U Firmware 15.03.06.49Multitde01

A vulnerability, which was classified as critical, has been found in Tenda AC10U 15.03.06.49_multi_TDE01.

9.8
2024-01-26 CVE-2024-0933 Niushop Unrestricted Upload of File with Dangerous Type vulnerability in Niushop B2B2C Multi-Business 5.0

A vulnerability was found in Niushop B2B2C V5 and classified as critical.

9.8
2024-01-26 CVE-2024-0928 Tendacn Stack-based Buffer Overflow vulnerability in Tendacn Ac10U Firmware 15.03.06.49Multitde01

A vulnerability was found in Tenda AC10U 15.03.06.49_multi_TDE01.

9.8
2024-01-26 CVE-2024-0929 Tendacn Stack-based Buffer Overflow vulnerability in Tendacn Ac10U Firmware 15.03.06.49Multitde01

A vulnerability was found in Tenda AC10U 15.03.06.49_multi_TDE01.

9.8
2024-01-26 CVE-2024-0930 Tendacn Stack-based Buffer Overflow vulnerability in Tendacn Ac10U Firmware 15.03.06.49Multitde01

A vulnerability classified as critical has been found in Tenda AC10U 15.03.06.49_multi_TDE01.

9.8
2024-01-26 CVE-2024-0924 Tenda Stack-based Buffer Overflow vulnerability in Tenda Ac10U Firmware 15.03.06.49Multitde01

A vulnerability, which was classified as critical, was found in Tenda AC10U 15.03.06.49_multi_TDE01.

9.8
2024-01-26 CVE-2024-0925 Tendacn Stack-based Buffer Overflow vulnerability in Tendacn Ac10U Firmware 15.03.06.49Multitde01

A vulnerability has been found in Tenda AC10U 15.03.06.49_multi_TDE01 and classified as critical.

9.8
2024-01-26 CVE-2024-0926 Tendacn Stack-based Buffer Overflow vulnerability in Tendacn Ac10U Firmware 15.03.06.49Multitde01

A vulnerability was found in Tenda AC10U 15.03.06.49_multi_TDE01 and classified as critical.

9.8
2024-01-26 CVE-2024-0927 Tendacn Stack-based Buffer Overflow vulnerability in Tendacn Ac10U Firmware 15.03.06.49Multitde01

A vulnerability was found in Tenda AC10U 15.03.06.49_multi_TDE01.

9.8
2024-01-26 CVE-2024-0921 Dlink OS Command Injection vulnerability in Dlink Dir-816 A2 Firmware 1.10Cnb04

A vulnerability has been found in D-Link DIR-816 A2 1.10CNB04 and classified as critical.

9.8
2024-01-26 CVE-2024-0922 Tendacn Stack-based Buffer Overflow vulnerability in Tendacn Ac10U Firmware 15.03.06.49Multitde01

A vulnerability classified as critical was found in Tenda AC10U 15.03.06.49_multi_TDE01.

9.8
2024-01-26 CVE-2024-0923 Tendacn Stack-based Buffer Overflow vulnerability in Tendacn Ac10U Firmware 15.03.06.49Multitde01

A vulnerability, which was classified as critical, has been found in Tenda AC10U 15.03.06.49_multi_TDE01.

9.8
2024-01-26 CVE-2023-38317 Opennds OS Command Injection vulnerability in Opennds

An issue was discovered in OpenNDS before 10.1.3.

9.8
2024-01-26 CVE-2023-38318 Opennds OS Command Injection vulnerability in Opennds

An issue was discovered in OpenNDS before 10.1.3.

9.8
2024-01-26 CVE-2023-38319 Opennds OS Command Injection vulnerability in Opennds

An issue was discovered in OpenNDS before 10.1.3.

9.8
2024-01-26 CVE-2023-38323 Opennds OS Command Injection vulnerability in Opennds

An issue was discovered in OpenNDS before 10.1.3.

9.8
2024-01-26 CVE-2024-23613 Broadcom Classic Buffer Overflow vulnerability in Broadcom Symantec Deployment Solutions 7.9

A buffer overflow vulnerability exists in Symantec Deployment Solution version 7.9 when parsing UpdateComputer tokens.

9.8
2024-01-26 CVE-2024-23614 Broadcom Classic Buffer Overflow vulnerability in Broadcom Symantec Messaging Gateway 9.5

A buffer overflow vulnerability exists in Symantec Messaging Gateway versions 9.5 and before.

9.8
2024-01-26 CVE-2024-23615 Broadcom Classic Buffer Overflow vulnerability in Broadcom Symantec Messaging Gateway 10.5/9.5

A buffer overflow vulnerability exists in Symantec Messaging Gateway versions 10.5 and before.

9.8
2024-01-26 CVE-2024-23616 Broadcom Classic Buffer Overflow vulnerability in Broadcom Symantec Server Management Suite 7.9

A buffer overflow vulnerability exists in Symantec Server Management Suite version 7.9 and before.

9.8
2024-01-26 CVE-2024-23618 Commscope Missing Authentication for Critical Function vulnerability in Commscope Arris Surfboard Sbg6950Ac2 Firmware

An arbitrary code execution vulnerability exists in Arris SURFboard SGB6950AC2 devices.

9.8
2024-01-26 CVE-2024-23619 IBM Use of Hard-coded Credentials vulnerability in IBM Merge Efilm Workstation 4.2

A hardcoded credential vulnerability exists in IBM Merge Healthcare eFilm Workstation.

9.8
2024-01-26 CVE-2024-23621 IBM Classic Buffer Overflow vulnerability in IBM Merge Efilm Workstation 4.2

A buffer overflow exists in IBM Merge Healthcare eFilm Workstation license server.

9.8
2024-01-26 CVE-2024-23622 IBM Out-of-bounds Write vulnerability in IBM Merge Efilm Workstation 4.2

A stack-based buffer overflow exists in IBM Merge Healthcare eFilm Workstation license server.

9.8
2024-01-26 CVE-2024-23624 Dlink Command Injection vulnerability in Dlink Dap-1650 Firmware

A command injection vulnerability exists in the gena.cgi module of D-Link DAP-1650 devices.

9.8
2024-01-26 CVE-2024-23625 Dlink Command Injection vulnerability in Dlink Dap-1650 Firmware

A command injection vulnerability exists in D-Link DAP-1650 devices when handling UPnP SUBSCRIBE messages.

9.8
2024-01-25 CVE-2024-0890 Hongmaple SQL Injection vulnerability in Hongmaple Octopus 1.0

A vulnerability was found in hongmaple octopus 1.0.

9.8
2024-01-25 CVE-2024-22922 Projectworlds Improper Privilege Management vulnerability in Projectworlds Visitor Management System in PHP 1.0

An issue in Projectworlds Vistor Management Systemin PHP v.1.0 allows a remtoe attacker to escalate privileges via a crafted script to the login page in the POST/index.php

9.8
2024-01-25 CVE-2024-0884 Mayurik SQL Injection vulnerability in Mayurik Online Tours &Travels Management System 1.0

A vulnerability was found in SourceCodester Online Tours & Travels Management System 1.0.

9.8
2024-01-25 CVE-2024-22638 Livesite Unspecified vulnerability in Livesite 2019.1

liveSite v2019.1 was discovered to contain a remote code execution (RCE) vulenrabiity via the component /livesite/edit_designer_region.php or /livesite/add_email_campaign.php.

9.8
2024-01-25 CVE-2023-6267 Quarkus Improper Handling of Exceptional Conditions vulnerability in Quarkus

A flaw was found in the json payload.

9.8
2024-01-25 CVE-2023-7227 Systemk Corp Command Injection vulnerability in Systemk-Corp products

SystemK NVR 504/508/516 versions 2.3.5SK.30084998 and prior are vulnerable to a command injection vulnerability in the dynamic domain name system (DDNS) settings that could allow an attacker to execute arbitrary commands with root privileges.

9.8
2024-01-25 CVE-2024-0883 Mayurik SQL Injection vulnerability in Mayurik Online Tours & Travels Management System 1.0

A vulnerability was found in SourceCodester Online Tours & Travels Management System 1.0.

9.8
2024-01-25 CVE-2024-22529 Totolink Command Injection vulnerability in Totolink X2000R Firmware 2.0.0B20230727.10434

TOTOLINK X2000R_V2 V2.0.0-B20230727.10434 has a command injection vulnerability in the sub_449040 (handle function of formUploadFile) of /bin/boa.

9.8
2024-01-25 CVE-2024-22729 Netis Systems Command Injection vulnerability in Netis-Systems Mw5360 Firmware 1.0.1.3031

NETIS SYSTEMS MW5360 V1.0.1.3031 was discovered to contain a command injection vulnerability via the password parameter on the login page.

9.8
2024-01-25 CVE-2023-33759 Splicecom Improper Restriction of Excessive Authentication Attempts vulnerability in Splicecom Maximiser Soft PBX

SpliceCom Maximiser Soft PBX v1.5 and before does not restrict excessive authentication attempts, allowing attackers to bypass authentication via a brute force attack.

9.8
2024-01-24 CVE-2024-22751 Dlink Out-of-bounds Write vulnerability in Dlink Dir-882 A1 Firmware 1.30B06

D-Link DIR-882 DIR882A1_FW130B06 was discovered to contain a stack overflow via the sub_477AA0 function.

9.8
2024-01-24 CVE-2021-42144 Contiki NG Out-of-bounds Read vulnerability in Contiki-Ng Tinydtls

Buffer over-read vulnerability in Contiki-NG tinyDTLS through master branch 53a0d97 allows attackers obtain sensitive information via crafted input to dtls_ccm_decrypt_message().

9.8
2024-01-24 CVE-2023-51889 Ctan Out-of-bounds Write vulnerability in Ctan Mathtex

Stack Overflow vulnerability in the validate() function in Mathtex v.1.05 and before allows a remote attacker to execute arbitrary code via crafted string in the application URL.

9.8
2024-01-24 CVE-2023-52038 Totolink Command Injection vulnerability in Totolink X6000R Firmware 9.4.0Cu.852B20230719

An issue discovered in TOTOLINK X6000R v9.4.0cu.852_B20230719 allows attackers to run arbitrary commands via the sub_415C80 function.

9.8
2024-01-24 CVE-2023-52039 Totolink Command Injection vulnerability in Totolink X6000R Firmware 9.4.0Cu.852B20230719

An issue discovered in TOTOLINK X6000R v9.4.0cu.852_B20230719 allows attackers to run arbitrary commands via the sub_415AA4 function.

9.8
2024-01-24 CVE-2023-52040 Totolink Command Injection vulnerability in Totolink X6000R Firmware 9.4.0Cu.852B20230719

An issue discovered in TOTOLINK X6000R v9.4.0cu.852_B20230719 allows attackers to run arbitrary commands via the sub_41284C function.

9.8
2024-01-24 CVE-2024-23897 Jenkins Path Traversal vulnerability in Jenkins

Jenkins 2.441 and earlier, LTS 2.426.2 and earlier does not disable a feature of its CLI command parser that replaces an '@' character followed by a file path in an argument with the file's contents, allowing unauthenticated attackers to read arbitrary files on the Jenkins controller file system.

9.8
2024-01-24 CVE-2023-51885 Ctan Classic Buffer Overflow vulnerability in Ctan Mathtex

Buffer Overflow vulnerability in Mathtex v.1.05 and before allows a remote attacker to execute arbitrary code via the length of the LaTeX string component.

9.8
2024-01-24 CVE-2023-51887 Ctan Command Injection vulnerability in Ctan Mathtex

Command Injection vulnerability in Mathtex v.1.05 and before allows a remote attacker to execute arbitrary code via crafted string in application URL.

9.8
2024-01-24 CVE-2024-22651 Dlink Command Injection vulnerability in Dlink Dir-815 Firmware 1.0.1/1.01Ssb08.Bin/1.04

There is a command injection vulnerability in the ssdpcgi_main function of cgibin binary in D-Link DIR-815 router firmware v1.04.

9.8
2024-01-24 CVE-2023-52221 Ukrsolution Unrestricted Upload of File with Dangerous Type vulnerability in Ukrsolution Barcode Scanner and Inventory Manager

Unrestricted Upload of File with Dangerous Type vulnerability in UkrSolution Barcode Scanner and Inventory manager.This issue affects Barcode Scanner and Inventory manager: from n/a through 1.5.1.

9.8
2024-01-24 CVE-2024-22284 Asgaros Deserialization of Untrusted Data vulnerability in Asgaros Forum

Deserialization of Untrusted Data vulnerability in Thomas Belser Asgaros Forum.This issue affects Asgaros Forum: from n/a through 2.7.2.

9.8
2024-01-24 CVE-2024-22309 Quantumcloud Deserialization of Untrusted Data vulnerability in Quantumcloud AI Chatbot

Deserialization of Untrusted Data vulnerability in QuantumCloud ChatBot with AI.This issue affects ChatBot with AI: from n/a through 5.1.0.

9.8
2024-01-24 CVE-2024-0808 Google
Fedoraproject
Integer Underflow (Wrap or Wraparound) vulnerability in multiple products

Integer underflow in WebUI in Google Chrome prior to 121.0.6167.85 allowed a remote attacker to potentially exploit heap corruption via a malicious file.

9.8
2024-01-23 CVE-2023-35835 Solax Unspecified vulnerability in Solax Pocket Wifi 3 Firmware

An issue was discovered in SolaX Pocket WiFi 3 through 3.001.02.

9.8
2024-01-23 CVE-2023-35837 Solax Unspecified vulnerability in Solax Pocket Wifi 3 Firmware

An issue was discovered in SolaX Pocket WiFi 3 through 3.001.02.

9.8
2024-01-23 CVE-2021-42142 Contiki NG Improper Handling of Exceptional Conditions vulnerability in Contiki-Ng Tinydtls 20180830

An issue was discovered in Contiki-NG tinyDTLS through master branch 53a0d97.

9.8
2024-01-23 CVE-2023-31654 Redis Unspecified vulnerability in Redis Redisraft

Redis raft master-1b8bd86 to master-7b46079 was discovered to contain an ODR violation via the component hiredisAllocFns at /opt/fs/redisraft/deps/hiredis/alloc.c.

9.8
2024-01-23 CVE-2023-36177 Badaix Unspecified vulnerability in Badaix Snapcast 0.27.0

An issue was discovered in badaix Snapcast version 0.27.0, allows remote attackers to execute arbitrary code and gain sensitive information via crafted request in JSON-RPC-API.

9.8
2024-01-23 CVE-2023-51210 Webkul SQL Injection vulnerability in Webkul Bundle Product 6.0.1

SQL injection vulnerability in Webkul Bundle Product 6.0.1 allows a remote attacker to execute arbitrary code via the id_product parameters in the UpdateProductQuantity function.

9.8
2024-01-23 CVE-2024-22203 Benbusby Server-Side Request Forgery (SSRF) vulnerability in Benbusby Whoogle Search

Whoogle Search is a self-hosted metasearch engine.

9.8
2024-01-23 CVE-2024-22205 Benbusby Server-Side Request Forgery (SSRF) vulnerability in Benbusby Whoogle Search

Whoogle Search is a self-hosted metasearch engine.

9.8
2024-01-23 CVE-2024-23636 Sofastack Deserialization of Untrusted Data vulnerability in Sofastack Sofarpc

SOFARPC is a Java RPC framework.

9.8
2024-01-23 CVE-2024-22660 Totolink Out-of-bounds Write vulnerability in Totolink A3700R Firmware 9.1.2U.616520211012

TOTOLINK_A3700R_V9.1.2u.6165_20211012has a stack overflow vulnerability via setLanguageCfg

9.8
2024-01-23 CVE-2024-22662 Totolink Out-of-bounds Write vulnerability in Totolink A3700R Firmware 9.1.2U.616520211012

TOTOLINK A3700R_V9.1.2u.6165_20211012 has a stack overflow vulnerability via setParentalRules

9.8
2024-01-23 CVE-2024-22663 Totolink Command Injection vulnerability in Totolink A3700R Firmware 9.1.2U.616520211012

TOTOLINK_A3700R_V9.1.2u.6165_20211012has a command Injection vulnerability via setOpModeCfg

9.8
2024-01-23 CVE-2024-22076 MYQ Solution Unspecified vulnerability in Myq-Solution Print Server 8.2

MyQ Print Server before 8.2 patch 43 allows remote authenticated administrators to execute arbitrary code via PHP scripts that are reached through the administrative interface.

9.8
2024-01-22 CVE-2021-42141 Contiki NG Improper Handling of Exceptional Conditions vulnerability in Contiki-Ng Tinydtls 20180830

An issue was discovered in Contiki-NG tinyDTLS through 2018-08-30.

9.8
2024-01-22 CVE-2023-48118 Quest Analytics SQL Injection vulnerability in Quest-Analytics Iqcrm 2023.9.5

SQL Injection vulnerability in Quest Analytics LLC IQCRM v.2023.9.5 allows a remote attacker to execute arbitrary code via a crafted request to the Common.svc WSDL page.

9.8
2024-01-22 CVE-2024-0204 Fortra Forced Browsing vulnerability in Fortra Goanywhere Managed File Transfer

Authentication bypass in Fortra's GoAnywhere MFT prior to 7.4.1 allows an unauthorized user to create an admin user via the administration portal.

9.8
2024-01-22 CVE-2024-0783 Online Admission System Project Unrestricted Upload of File with Dangerous Type vulnerability in Online Admission System Project Online Admission System 1.0

A vulnerability was found in Project Worlds Online Admission System 1.0 and classified as critical.

9.8
2024-01-22 CVE-2024-0784 Hongmaple SQL Injection vulnerability in Hongmaple Octopus 1.0

A vulnerability was found in hongmaple octopus 1.0.

9.8
2024-01-22 CVE-2024-0778 Uniview OS Command Injection vulnerability in Uniview ISC 2500-S Firmware 20210930

** UNSUPPORTED WHEN ASSIGNED ** A vulnerability, which was classified as critical, has been found in Uniview ISC 2500-S up to 20210930.

9.8
2024-01-22 CVE-2017-20189 Clojure Deserialization of Untrusted Data vulnerability in Clojure

In Clojure before 1.9.0, classes can be used to construct a serialized object that executes arbitrary code upon deserialization.

9.8
2024-01-22 CVE-2024-23771 Unix4Lyfe Information Exposure Through Discrepancy vulnerability in Unix4Lyfe Darkhttpd 1.13/1.131/1.14

darkhttpd before 1.15 uses strcmp (which is not constant time) to verify authentication, which makes it easier for remote attackers to bypass authentication via a timing side channel.

9.8
2024-01-22 CVE-2024-23751 Llamaindex SQL Injection vulnerability in Llamaindex

LlamaIndex (aka llama_index) through 0.9.34 allows SQL injection via the Text-to-SQL feature in NLSQLTableQueryEngine, SQLTableRetrieverQueryEngine, NLSQLRetriever, RetrieverQueryEngine, and PGVectorSQLQueryEngine.

9.8
2024-01-22 CVE-2024-23752 Gabrieleventuri Missing Authorization vulnerability in Gabrieleventuri Pandasai

GenerateSDFPipeline in synthetic_dataframe in PandasAI (aka pandas-ai) through 1.5.17 allows attackers to trigger the generation of arbitrary Python code that is executed by SDFCodeExecutor.

9.8
2024-01-26 CVE-2024-21326 Microsoft Unspecified vulnerability in Microsoft Edge Chromium

Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability

9.6
2024-01-24 CVE-2021-42147 Contiki NG Out-of-bounds Read vulnerability in Contiki-Ng Tinydtls 20180830

Buffer over-read vulnerability in the dtls_sha256_update function in Contiki-NG tinyDTLS through master branch 53a0d97 allows remote attackers to cause a denial of service via crafted data packet.

9.1
2024-01-24 CVE-2021-42143 Contiki NG Infinite Loop vulnerability in Contiki-Ng Tinydtls 20180830

An issue was discovered in Contiki-NG tinyDTLS through master branch 53a0d97.

9.1
2024-01-22 CVE-2022-45790 Omron Improper Restriction of Excessive Authentication Attempts vulnerability in Omron products

The Omron FINS protocol has an authenticated feature to prevent access to memory regions.

9.1

144 High Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2024-01-27 CVE-2024-22283 Delhivery SQL Injection vulnerability in Delhivery Logistics Courier 1.0.107

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Delhivery Delhivery Logistics Courier.This issue affects Delhivery Logistics Courier: from n/a through 1.0.107.

8.8
2024-01-26 CVE-2024-0936 Vanderschaarlab Deserialization of Untrusted Data vulnerability in Vanderschaarlab Temporai 0.0.3

A vulnerability classified as critical was found in van_der_Schaar LAB TemporAI 0.0.3.

8.8
2024-01-26 CVE-2024-23617 Broadcom Classic Buffer Overflow vulnerability in Broadcom Symantec Data Center Security Server 14.0.2/6.5.0/6.6.0

A buffer overflow vulnerability exists in Symantec Data Loss Prevention version 14.0.2 and before.

8.8
2024-01-26 CVE-2024-23626 Motorola Command Injection vulnerability in Motorola Mr2600 Firmware

A command injection vulnerability exists in the ‘SaveSysLogParams’ parameter of the Motorola MR2600.

8.8
2024-01-26 CVE-2024-23627 Motorola Command Injection vulnerability in Motorola Mr2600 Firmware

A command injection vulnerability exists in the 'SaveStaticRouteIPv4Params' parameter of the Motorola MR2600.

8.8
2024-01-26 CVE-2024-23628 Motorola Command Injection vulnerability in Motorola Mr2600 Firmware

A command injection vulnerability exists in the 'SaveStaticRouteIPv6Params' parameter of the Motorola MR2600.

8.8
2024-01-26 CVE-2024-23630 Motorola Unrestricted Upload of File with Dangerous Type vulnerability in Motorola Mr2600 Firmware

An arbitrary firmware upload vulnerability exists in the Motorola MR2600.

8.8
2024-01-25 CVE-2023-52251 Provectus Code Injection vulnerability in Provectus UI

An issue discovered in provectus kafka-ui 0.4.0 through 0.7.1 allows remote attackers to execute arbitrary code via the q parameter of /api/clusters/local/topics/{topic}/messages.

8.8
2024-01-25 CVE-2024-22636 Pluxml Unspecified vulnerability in Pluxml 5.8.9

PluXml Blog v5.8.9 was discovered to contain a remote code execution (RCE) vulnerability in the Static Pages feature.

8.8
2024-01-25 CVE-2024-0880 100296 Cross-Site Request Forgery (CSRF) vulnerability in 100296 Qdbcrm 1.1.0

A vulnerability was found in Qidianbang qdbcrm 1.1.0 and classified as problematic.

8.8
2024-01-24 CVE-2024-23646 Pimcore SQL Injection vulnerability in Pimcore Admin Classic Bundle

Pimcore's Admin Classic Bundle provides a backend user interface for Pimcore.

8.8
2024-01-24 CVE-2024-23648 Pimcore Injection vulnerability in Pimcore Admin Classic Bundle

Pimcore's Admin Classic Bundle provides a backend user interface for Pimcore.

8.8
2024-01-24 CVE-2024-23898 Jenkins Origin Validation Error vulnerability in Jenkins

Jenkins 2.217 through 2.441 (both inclusive), LTS 2.222.1 through 2.426.2 (both inclusive) does not perform origin validation of requests made through the CLI WebSocket endpoint, resulting in a cross-site WebSocket hijacking (CSWSH) vulnerability, allowing attackers to execute CLI commands on the Jenkins controller.

8.8
2024-01-24 CVE-2023-43317 Coign Unspecified vulnerability in Coign 06.06

An issue in Coign CRM Portal v.06.06 allows a remote attacker to escalate privileges via the userPermissionsList parameter in Session Storage component.

8.8
2024-01-24 CVE-2024-0806 Google
Fedoraproject
Use After Free vulnerability in multiple products

Use after free in Passwords in Google Chrome prior to 121.0.6167.85 allowed a remote attacker to potentially exploit heap corruption via specific UI interaction.

8.8
2024-01-24 CVE-2024-0807 Google
Fedoraproject
Use After Free vulnerability in multiple products

Use after free in Web Audio in Google Chrome prior to 121.0.6167.85 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

8.8
2024-01-24 CVE-2024-0812 Google
Fedoraproject
Inappropriate implementation in Accessibility in Google Chrome prior to 121.0.6167.85 allowed a remote attacker to potentially exploit object corruption via a crafted HTML page.
8.8
2024-01-24 CVE-2024-0813 Google
Fedoraproject
Use After Free vulnerability in multiple products

Use after free in Reading Mode in Google Chrome prior to 121.0.6167.85 allowed an attacker who convinced a user to install a malicious extension to potentially exploit heap corruption via specific UI interaction.

8.8
2024-01-23 CVE-2023-46892 Meross Authentication Bypass by Capture-replay vulnerability in Meross Msh30Q Firmware 4.5.23

The radio frequency communication protocol being used by Meross MSH30Q 4.5.23 is vulnerable to replay attacks, allowing attackers to record and replay previously captured communication to execute unauthorized commands or actions (e.g., thermostat's temperature).

8.8
2024-01-23 CVE-2023-52324 Trendmicro Unrestricted Upload of File with Dangerous Type vulnerability in Trendmicro Apex Central 2019

An unrestricted file upload vulnerability in Trend Micro Apex Central could allow a remote attacker to create arbitrary files on affected installations. Please note: although authentication is required to exploit this vulnerability, this vulnerability could be exploited when the attacker has any valid set of credentials.

8.8
2024-01-23 CVE-2024-0745 Mozilla Out-of-bounds Write vulnerability in Mozilla Firefox

The WebAudio `OscillatorNode` object was susceptible to a stack buffer overflow.

8.8
2024-01-23 CVE-2024-0750 Mozilla
Debian
A bug in popup notifications delay calculation could have made it possible for an attacker to trick a user into granting permissions.
8.8
2024-01-23 CVE-2024-0751 Mozilla
Debian
Improper Privilege Management vulnerability in multiple products

A malicious devtools extension could have been used to escalate privileges.

8.8
2024-01-23 CVE-2024-0755 Mozilla
Debian
Memory safety bugs present in Firefox 121, Firefox ESR 115.6, and Thunderbird 115.6.
8.8
2024-01-23 CVE-2024-23180 Appleple Unspecified vulnerability in Appleple A-Blog CMS

Improper input validation vulnerability in a-blog cms Ver.3.1.x series versions prior to Ver.3.1.7, Ver.3.0.x series versions prior to Ver.3.0.29, Ver.2.11.x series versions prior to Ver.2.11.58, Ver.2.10.x series versions prior to Ver.2.10.50, and Ver.2.9.0 and earlier allows a remote authenticated attacker to execute arbitrary code by uploading a specially crafted SVG file.

8.8
2024-01-23 CVE-2024-23348 Appleple Unspecified vulnerability in Appleple A-Blog CMS

Improper input validation vulnerability in a-blog cms Ver.3.1.x series versions prior to Ver.3.1.7, Ver.3.0.x series versions prior to Ver.3.0.29, Ver.2.11.x series versions prior to Ver.2.11.58, Ver.2.10.x series versions prior to Ver.2.10.50, and Ver.2.9.0 and earlier allows a remote authenticated attacker to execute arbitrary JavaScript code by uploading a specially crafted SVG file.

8.8
2024-01-23 CVE-2024-23209 Apple Unspecified vulnerability in Apple Macos

The issue was addressed with improved memory handling.

8.8
2024-01-23 CVE-2024-23213 Apple Unspecified vulnerability in Apple products

The issue was addressed with improved memory handling.

8.8
2024-01-23 CVE-2024-23214 Apple Out-of-bounds Write vulnerability in Apple Ipados, Iphone OS and Macos

Multiple memory corruption issues were addressed with improved memory handling.

8.8
2024-01-23 CVE-2024-23222 Apple Type Confusion vulnerability in Apple products

A type confusion issue was addressed with improved checks.

8.8
2024-01-22 CVE-2024-23678 Splunk Unspecified vulnerability in Splunk

In Splunk Enterprise for Windows versions below 9.0.8 and 9.1.3, Splunk Enterprise does not correctly sanitize path input data.

8.8
2024-01-22 CVE-2024-22895 Dedecms Unrestricted Upload of File with Dangerous Type vulnerability in Dedecms 5.7.112

DedeCMS 5.7.112 has a File Upload vulnerability via uploads/dede/module_upload.php.

8.8
2024-01-22 CVE-2023-47352 Technicolor Unspecified vulnerability in Technicolor Tc8715D Firmware

Technicolor TC8715D devices have predictable default WPA2 security passwords.

8.8
2024-01-22 CVE-2024-23768 Dremio Path Traversal vulnerability in Dremio

Dremio before 24.3.1 allows path traversal.

8.8
2024-01-22 CVE-2024-23750 Deepwisdom Code Injection vulnerability in Deepwisdom Metagpt

MetaGPT through 0.6.4 allows the QaEngineer role to execute arbitrary code because RunCode.run_script() passes shell metacharacters to subprocess.Popen.

8.8
2024-01-26 CVE-2024-21385 Microsoft Unspecified vulnerability in Microsoft Edge Chromium

Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability

8.3
2024-01-25 CVE-2023-40547 Redhat Out-of-bounds Write vulnerability in Redhat Enterprise Linux and Shim

A remote code execution vulnerability was found in Shim.

8.3
2024-01-25 CVE-2023-51833 Trendnet Command Injection vulnerability in Trendnet Tew-411Brpplus Firmware 2.07Eu

A command injection issue in TRENDnet TEW-411BRPplus v.2.07_eu that allows a local attacker to execute arbitrary code via the data1 parameter in the debug.cgi page.

8.1
2024-01-24 CVE-2024-23644 Trillium Interpretation Conflict vulnerability in Trillium and Trillium-Http

Trillium is a composable toolkit for building internet applications with async rust.

8.1
2024-01-23 CVE-2024-23182 Appleple Path Traversal vulnerability in Appleple A-Blog CMS

Relative path traversal vulnerability in a-blog cms Ver.3.1.x series versions prior to Ver.3.1.7, Ver.3.0.x series versions prior to Ver.3.0.29, Ver.2.11.x series versions prior to Ver.2.11.58, Ver.2.10.x series versions prior to Ver.2.10.50, and Ver.2.9.0 and earlier allows a remote authenticated attacker to delete arbitrary files on the server.

8.1
2024-01-28 CVE-2024-0841 Linux
Redhat
NULL Pointer Dereference vulnerability in multiple products

A null pointer dereference flaw was found in the hugetlbfs_fill_super function in the Linux kernel hugetlbfs (HugeTLB pages) functionality.

7.8
2024-01-27 CVE-2024-0962 Libcoap Out-of-bounds Write vulnerability in Libcoap 4.3.4

A vulnerability was found in obgm libcoap 4.3.4.

7.8
2024-01-26 CVE-2022-48622 Gnome Out-of-bounds Write vulnerability in Gnome Gdkpixbuf

In GNOME GdkPixbuf (aka gdk-pixbuf) through 2.42.10, the ANI (Windows animated cursor) decoder encounters heap memory corruption (in ani_load_chunk in io-ani.c) when parsing chunks in a crafted .ani file.

7.8
2024-01-26 CVE-2024-22545 Trendnet Command Injection vulnerability in Trendnet Tew-824Dru Firmware 1.04B01

An issue was discovered in TRENDnet TEW-824DRU version 1.04b01, allows unauthenticated attackers to execute arbitrary code via the system.ntp.server parameter in the sub_420AE0() function.

7.8
2024-01-26 CVE-2024-23620 IBM Improper Privilege Management vulnerability in IBM Merge Efilm Workstation 4.2

An improper privilege management vulnerability exists in IBM Merge Healthcare eFilm Workstation.

7.8
2024-01-25 CVE-2023-3181 Splashtop Unspecified vulnerability in Splashtop Software Updater 1.5.6.16/1.5.6.21

The C:\Program Files (x86)\Splashtop\Splashtop Software Updater\uninst.exe process creates a folder at C:\Windows\Temp~nsu.tmp and copies itself to it as Au_.exe.

7.8
2024-01-25 CVE-2023-52076 Mate Desktop Path Traversal vulnerability in Mate-Desktop Atril

Atril Document Viewer is the default document reader of the MATE desktop environment for Linux.

7.8
2024-01-25 CVE-2024-22749 Gpac Classic Buffer Overflow vulnerability in Gpac 2.3

GPAC v2.3 was detected to contain a buffer overflow via the function gf_isom_new_generic_sample_description function in the isomedia/isom_write.c:4577

7.8
2024-01-25 CVE-2024-23307 Linux Integer Overflow or Wraparound vulnerability in Linux Kernel

Integer Overflow or Wraparound vulnerability in Linux Linux kernel kernel on Linux, x86, ARM (md, raid, raid5 modules) allows Forced Integer Overflow.

7.8
2024-01-24 CVE-2023-51711 Regify Uncontrolled Search Path Element vulnerability in Regify Regipay 4.5.1.0

An issue was discovered in Regify Regipay Client for Windows version 4.5.1.0 allows DLL hijacking: a user can trigger the execution of arbitrary code every time the product is executed.

7.8
2024-01-23 CVE-2023-47192 Trendmicro Link Following vulnerability in Trendmicro Apex ONE 2019

An agent link vulnerability in the Trend Micro Apex One security agent could allow a local attacker to escalate privileges on affected installations. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.

7.8
2024-01-23 CVE-2023-47193 Trendmicro Origin Validation Error vulnerability in Trendmicro Apex ONE 2019

An origin validation vulnerability in the Trend Micro Apex One security agent could allow a local attacker to escalate privileges on affected installations. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. This vulnerability is similar to, but not identical to, CVE-2023-47194.

7.8
2024-01-23 CVE-2023-47194 Trendmicro Origin Validation Error vulnerability in Trendmicro Apex ONE 2019

An origin validation vulnerability in the Trend Micro Apex One security agent could allow a local attacker to escalate privileges on affected installations. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. This vulnerability is similar to, but not identical to, CVE-2023-47195.

7.8
2024-01-23 CVE-2023-47195 Trendmicro Origin Validation Error vulnerability in Trendmicro Apex ONE 2019

An origin validation vulnerability in the Trend Micro Apex One security agent could allow a local attacker to escalate privileges on affected installations. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. This vulnerability is similar to, but not identical to, CVE-2023-47196.

7.8
2024-01-23 CVE-2023-47196 Trendmicro Origin Validation Error vulnerability in Trendmicro Apex ONE 2019

An origin validation vulnerability in the Trend Micro Apex One security agent could allow a local attacker to escalate privileges on affected installations. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. This vulnerability is similar to, but not identical to, CVE-2023-47197.

7.8
2024-01-23 CVE-2023-47197 Trendmicro Origin Validation Error vulnerability in Trendmicro Apex ONE 2019

An origin validation vulnerability in the Trend Micro Apex One security agent could allow a local attacker to escalate privileges on affected installations. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. This vulnerability is similar to, but not identical to, CVE-2023-47198.

7.8
2024-01-23 CVE-2023-47198 Trendmicro Origin Validation Error vulnerability in Trendmicro Apex ONE 2019

An origin validation vulnerability in the Trend Micro Apex One security agent could allow a local attacker to escalate privileges on affected installations. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. This vulnerability is similar to, but not identical to, CVE-2023-47199.

7.8
2024-01-23 CVE-2023-47199 Trendmicro Origin Validation Error vulnerability in Trendmicro Apex ONE 2019

An origin validation vulnerability in the Trend Micro Apex One security agent could allow a local attacker to escalate privileges on affected installations. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. This vulnerability is similar to, but not identical to, CVE-2023-47193.

7.8
2024-01-23 CVE-2023-47200 Trendmicro Origin Validation Error vulnerability in Trendmicro Apex ONE

A plug-in manager origin validation vulnerability in the Trend Micro Apex One security agent could allow a local attacker to escalate privileges on affected installations. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. This vulnerability is similar to, but not identical to, CVE-2023-47201.

7.8
2024-01-23 CVE-2023-47201 Trendmicro Unspecified vulnerability in Trendmicro Apex ONE

A plug-in manager origin validation vulnerability in the Trend Micro Apex One security agent could allow a local attacker to escalate privileges on affected installations. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. This vulnerability is similar to, but not identical to, CVE-2023-47200.

7.8
2024-01-23 CVE-2023-47202 Trendmicro Unspecified vulnerability in Trendmicro Apex ONE

A local file inclusion vulnerability on the Trend Micro Apex One management server could allow a local attacker to escalate privileges on affected installations. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.

7.8
2024-01-23 CVE-2023-52090 Trendmicro Link Following vulnerability in Trendmicro Apex ONE

A security agent link following vulnerability in Trend Micro Apex One could allow a local attacker to escalate privileges on affected installations. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.

7.8
2024-01-23 CVE-2023-52091 Trendmicro Link Following vulnerability in Trendmicro Apex ONE

An anti-spyware engine link following vulnerability in Trend Micro Apex One could allow a local attacker to escalate privileges on affected installations. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.

7.8
2024-01-23 CVE-2023-52092 Trendmicro Link Following vulnerability in Trendmicro Apex ONE

A security agent link following vulnerability in Trend Micro Apex One could allow a local attacker to escalate privileges on affected installations. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.

7.8
2024-01-23 CVE-2023-52093 Trendmicro Unspecified vulnerability in Trendmicro Apex ONE

An exposed dangerous function vulnerability in the Trend Micro Apex One agent could allow a local attacker to escalate privileges on affected installations. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.

7.8
2024-01-23 CVE-2023-52094 Trendmicro Link Following vulnerability in Trendmicro Apex ONE

An updater link following vulnerability in the Trend Micro Apex One agent could allow a local attacker to abuse the updater to delete an arbitrary folder, leading for a local privilege escalation on affected installations. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.

7.8
2024-01-23 CVE-2023-52337 Trendmicro Unspecified vulnerability in Trendmicro Deep Security and Deep Security Agent

An improper access control vulnerability in Trend Micro Deep Security 20.0 and Trend Micro Cloud One - Endpoint and Workload Security Agent could allow a local attacker to escalate privileges on affected installations. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.

7.8
2024-01-23 CVE-2023-52338 Trendmicro Link Following vulnerability in Trendmicro Deep Security and Deep Security Agent

A link following vulnerability in the Trend Micro Deep Security 20.0 and Trend Micro Cloud One - Endpoint and Workload Security Agent could allow a local attacker to escalate privileges on affected installations. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.

7.8
2024-01-23 CVE-2023-6926 Crestron OS Command Injection vulnerability in Crestron Am-300 Firmware 1.4499.00018

There is an OS command injection vulnerability in Crestron AM-300 firmware version 1.4499.00018 which may enable a user of a limited-access SSH session to escalate their privileges to root-level access.

7.8
2024-01-23 CVE-2023-50274 HP Command Injection vulnerability in HP Oneview

HPE OneView may allow command injection with local privilege escalation.

7.8
2024-01-23 CVE-2023-51042 Linux Use After Free vulnerability in Linux Kernel

In the Linux kernel before 6.4.12, amdgpu_cs_wait_all_fences in drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c has a fence use-after-free.

7.8
2024-01-23 CVE-2024-22705 Linux Out-of-bounds Read vulnerability in Linux Kernel

An issue was discovered in ksmbd in the Linux kernel before 6.6.10.

7.8
2024-01-23 CVE-2023-42881 Apple Unspecified vulnerability in Apple Macos

The issue was addressed with improved memory handling.

7.8
2024-01-23 CVE-2024-23208 Apple Unspecified vulnerability in Apple products

The issue was addressed with improved memory handling.

7.8
2024-01-23 CVE-2024-23212 Apple Unspecified vulnerability in Apple products

The issue was addressed with improved memory handling.

7.8
2024-01-22 CVE-2023-24135 Jensenofscandinavia Command Injection vulnerability in Jensenofscandinavia Eagle 1200Ac Firmware 15.03.06.33En

Jensen of Scandinavia Eagle 1200AC V15.03.06.33_en was discovered to contain a command injection vulnerability in the function formWriteFacMac.

7.8
2024-01-22 CVE-2022-45792 Omron Path Traversal vulnerability in Omron Sysmac Studio

Project files may contain malicious contents which the software will use to create files on the filesystem.

7.8
2024-01-22 CVE-2020-36771 Cloudlinux Unspecified vulnerability in Cloudlinux Cagefs 7.1.11

CloudLinux CageFS 7.1.1-1 or below passes the authentication token as a command line argument.

7.8
2024-01-26 CVE-2024-21985 Netapp Unspecified vulnerability in Netapp Clustered Data Ontap

ONTAP 9 versions prior to 9.9.1P18, 9.10.1P16, 9.11.1P13, 9.12.1P10 and 9.13.1P4 are susceptible to a vulnerability which could allow an authenticated user with multiple remote accounts with differing roles to perform actions via REST API beyond their intended privilege.

7.6
2024-01-28 CVE-2023-6200 Linux Race Condition vulnerability in Linux Kernel

A race condition was found in the Linux Kernel.

7.5
2024-01-27 CVE-2024-22861 Ffmpeg Integer Overflow or Wraparound vulnerability in Ffmpeg

Integer overflow vulnerability in FFmpeg before n6.1, allows attackers to cause a denial of service (DoS) via the avcodec/osq module.

7.5
2024-01-27 CVE-2023-52187 Imagesourcecontrol Unspecified vulnerability in Imagesourcecontrol Image Source Control

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Thomas Maier Image Source Control Lite – Show Image Credits and Captions.This issue affects Image Source Control Lite – Show Image Credits and Captions: from n/a through 2.17.0.

7.5
2024-01-26 CVE-2023-6919 Biges Path Traversal: '/../filedir' vulnerability in Biges products

Path Traversal: '/../filedir' vulnerability in Biges Safe Life Technologies Electronics Inc.

7.5
2024-01-26 CVE-2024-23629 Motorola Improper Authentication vulnerability in Motorola Mr2600 Firmware

An authentication bypass vulnerability exists in the web component of the Motorola MR2600.

7.5
2024-01-25 CVE-2024-0889 Kmint21 Improper Resource Shutdown or Release vulnerability in Kmint21 Golden FTP Server 2.02B

A vulnerability was found in Kmint21 Golden FTP Server 2.02b and classified as problematic.

7.5
2024-01-25 CVE-2024-21619 Juniper Information Exposure Through an Error Message vulnerability in Juniper Junos

A Missing Authentication for Critical Function vulnerability combined with a Generation of Error Message Containing Sensitive Information vulnerability in J-Web of Juniper Networks Junos OS on SRX Series and EX Series allows an unauthenticated, network-based attacker to access sensitive system information. When a user logs in, a temporary file which contains the configuration of the device (as visible to that user) is created in the /cache folder.

7.5
2024-01-25 CVE-2024-0887 Mafiatic Improper Resource Shutdown or Release vulnerability in Mafiatic Blue Server 1.1

A vulnerability, which was classified as problematic, has been found in Mafiatic Blue Server 1.1.

7.5
2024-01-25 CVE-2024-0888 10N Improper Resource Shutdown or Release vulnerability in 10N Borgchat 1.0.0

A vulnerability, which was classified as problematic, was found in BORGChat 1.0.0 Build 438.

7.5
2024-01-25 CVE-2024-0885 Spycamlizard Improper Resource Shutdown or Release vulnerability in Spycamlizard 1.230

A vulnerability classified as problematic has been found in SpyCamLizard 1.230.

7.5
2024-01-25 CVE-2023-52355 Libtiff
Redhat
Out-of-bounds Write vulnerability in multiple products

An out-of-memory flaw was found in libtiff that could be triggered by passing a crafted tiff file to the TIFFRasterScanlineSize64() API.

7.5
2024-01-25 CVE-2023-52356 Libtiff
Redhat
Out-of-bounds Write vulnerability in multiple products

A segment fault (SEGV) flaw was found in libtiff that could be triggered by passing a crafted tiff file to the TIFFReadRGBATileExt() API.

7.5
2024-01-25 CVE-2024-23656 Linuxfoundation Inadequate Encryption Strength vulnerability in Linuxfoundation DEX 2.37.0

Dex is an identity service that uses OpenID Connect to drive authentication for other apps.

7.5
2024-01-25 CVE-2024-0882 Linkwechat Path Traversal vulnerability in Linkwechat 5.1.0

A vulnerability was found in qwdigital LinkWechat 5.1.0.

7.5
2024-01-25 CVE-2024-0822 Ovirt Improper Authentication vulnerability in Ovirt Ovirt-Engine

An authentication bypass vulnerability was found in overt-engine.

7.5
2024-01-25 CVE-2024-23985 Ezhometech Unspecified vulnerability in Ezhometech Ezserver 6.4.017

EzServer 6.4.017 allows a denial of service (daemon crash) via a long string, such as one for the RNTO command.

7.5
2024-01-24 CVE-2021-42145 Contiki NG Improper Handling of Exceptional Conditions vulnerability in Contiki-Ng Tinydtls 20180830

An assertion failure discovered in in check_certificate_request() in Contiki-NG tinyDTLS through master branch 53a0d97 allows attackers to cause a denial of service.

7.5
2024-01-24 CVE-2021-42146 Contiki NG Improper Handling of Exceptional Conditions vulnerability in Contiki-Ng Tinydtls 20180830

An issue was discovered in Contiki-NG tinyDTLS through master branch 53a0d97.

7.5
2024-01-24 CVE-2023-51888 Ctan Classic Buffer Overflow vulnerability in Ctan Mathtex

Buffer Overflow vulnerability in the nomath() function in Mathtex v.1.05 and before allows a remote attacker to cause a denial of service via a crafted string in the application URL.

7.5
2024-01-24 CVE-2023-51890 Ctan Infinite Loop vulnerability in Ctan Mathtex

An infinite loop issue discovered in Mathtex 1.05 and before allows a remote attackers to consume CPU resources via crafted string in the application URL.

7.5
2024-01-24 CVE-2024-23904 Jenkins Unspecified vulnerability in Jenkins LOG Command

Jenkins Log Command Plugin 1.0.2 and earlier does not disable a feature of its command parser that replaces an '@' character followed by a file path in an argument with the file's contents, allowing unauthenticated attackers to read content from arbitrary files on the Jenkins controller file system.

7.5
2024-01-24 CVE-2023-51886 Ctan Classic Buffer Overflow vulnerability in Ctan Mathtex

Buffer Overflow vulnerability in the main() function in Mathtex 1.05 and before allows a remote attacker to cause a denial of service when using \convertpath.

7.5
2024-01-24 CVE-2024-23641 Svelte Unspecified vulnerability in Svelte Adapter-Node and KIT

SvelteKit is a web development kit.

7.5
2024-01-24 CVE-2024-22141 Cozmoslabs Information Exposure vulnerability in Cozmoslabs Profile Builder

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Cozmoslabs Profile Builder Pro.This issue affects Profile Builder Pro: from n/a through 3.10.0.

7.5
2024-01-24 CVE-2023-50943 Apache Deserialization of Untrusted Data vulnerability in Apache Airflow

Apache Airflow, versions before 2.8.1, have a vulnerability that allows a potential attacker to poison the XCom data by bypassing the protection of "enable_xcom_pickling=False" configuration setting resulting in poisoned data after XCom deserialization.

7.5
2024-01-24 CVE-2024-22154 Snpdigital Information Exposure vulnerability in Snpdigital Salesking

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in SNP Digital SalesKing.This issue affects SalesKing: from n/a through 1.6.15.

7.5
2024-01-24 CVE-2024-22294 Ip2Location Information Exposure vulnerability in Ip2Location Country Blocker

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in IP2Location IP2Location Country Blocker.This issue affects IP2Location Country Blocker: from n/a through 2.33.3.

7.5
2024-01-24 CVE-2024-22301 Eduva Information Exposure vulnerability in Eduva Albo Pretorio Online

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Ignazio Scimone Albo Pretorio On line.This issue affects Albo Pretorio On line: from n/a through 4.6.6.

7.5
2024-01-24 CVE-2024-0804 Google
Fedoraproject
Insufficient policy enforcement in iOS Security UI in Google Chrome prior to 121.0.6167.85 allowed a remote attacker to leak cross-origin data via a crafted HTML page.
7.5
2024-01-23 CVE-2023-7237 Lantronix Inadequate Encryption Strength vulnerability in Lantronix Xport Edge Firmware 2.0.0.13

Lantronix XPort sends weakly encoded credentials within web request headers.

7.5
2024-01-23 CVE-2023-52325 Trendmicro Unspecified vulnerability in Trendmicro Apex Central 2019

A local file inclusion vulnerability in one of Trend Micro Apex Central's widgets could allow a remote attacker to execute arbitrary code on affected installations. Please note: this vulnerability must be used in conjunction with another one to exploit an affected system.

7.5
2024-01-23 CVE-2023-50275 HP Improper Authentication vulnerability in HP Oneview

HPE OneView may allow clusterService Authentication Bypass resulting in denial of service.

7.5
2024-01-23 CVE-2024-0743 Mozilla Unchecked Return Value vulnerability in Mozilla Firefox

An unchecked return value in TLS handshake code could have caused a potentially exploitable crash.

7.5
2024-01-23 CVE-2024-0744 Mozilla Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Mozilla Firefox

In some circumstances, JIT compiled code could have dereferenced a wild pointer value.

7.5
2024-01-23 CVE-2024-22768 Hitron Systems Use of Hard-coded Credentials vulnerability in Hitron Systems DVR Hvr-4781 Firmware

Improper Input Validation in Hitron Systems DVR HVR-4781 1.03~4.02 allows an attacker to cause network attack in case of using defalut admin ID/PW.

7.5
2024-01-23 CVE-2024-22769 Hitron Systems Use of Hard-coded Credentials vulnerability in Hitron Systems DVR Hvr-4781 Firmware

Improper Input Validation in Hitron Systems DVR HVR-8781 1.03~4.02 allows an attacker to cause network attack in case of using defalut admin ID/PW.

7.5
2024-01-23 CVE-2024-22770 Hitron Systems Use of Hard-coded Credentials vulnerability in Hitron Systems DVR Hvr-4781 Firmware

Improper Input Validation in Hitron Systems DVR HVR-16781 1.03~4.02 allows an attacker to cause network attack in case of using defalut admin ID/PW.

7.5
2024-01-23 CVE-2024-22771 Hitron Systems Use of Hard-coded Credentials vulnerability in Hitron Systems DVR Hvr-4781 Firmware

Improper Input Validation in Hitron Systems DVR LGUVR-4H 1.02~4.02 allows an attacker to cause network attack in case of using defalut admin ID/PW.

7.5
2024-01-23 CVE-2024-22772 Hitron Systems Use of Hard-coded Credentials vulnerability in Hitron Systems DVR Hvr-4781 Firmware

Improper Input Validation in Hitron Systems DVR LGUVR-8H 1.02~4.02 allows an attacker to cause network attack in case of using defalut admin ID/PW.

7.5
2024-01-23 CVE-2024-23842 Hitron Systems Use of Hard-coded Credentials vulnerability in Hitron Systems DVR Hvr-4781 Firmware

Improper Input Validation in Hitron Systems DVR LGUVR-16H 1.02~4.02 allows an attacker to cause network attack in case of using defalut admin ID/PW.

7.5
2024-01-23 CVE-2023-39197 Linux
Fedoraproject
Out-of-bounds Read vulnerability in multiple products

An out-of-bounds read vulnerability was found in Netfilter Connection Tracking (conntrack) in the Linux kernel.

7.5
2024-01-23 CVE-2024-23203 Apple Unspecified vulnerability in Apple Ipados, Iphone OS and Macos

The issue was addressed with additional permissions checks.

7.5
2024-01-23 CVE-2024-23204 Apple Unspecified vulnerability in Apple products

The issue was addressed with additional permissions checks.

7.5
2024-01-22 CVE-2023-47152 IBM Information Exposure Through an Error Message vulnerability in IBM DB2

IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.5 is vulnerable to an insecure cryptographic algorithm and to information disclosure in stack trace under exceptional conditions.

7.5
2024-01-22 CVE-2023-45193 IBM Unspecified vulnerability in IBM DB2

IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.5 federated server is vulnerable to a denial of service when a specially crafted cursor is used.

7.5
2024-01-22 CVE-2024-0605 Mozilla Race Condition vulnerability in Mozilla Firefox Focus

Using a javascript: URI with a setTimeout race condition, an attacker can execute unauthorized scripts on top origin sites in urlbar.

7.5
2024-01-22 CVE-2024-22233 Vmware Unspecified vulnerability in VMWare Spring Framework 6.0.15/6.1.2

In Spring Framework versions 6.0.15 and 6.1.2, it is possible for a user to provide specially crafted HTTP requests that may cause a denial-of-service (DoS) condition. Specifically, an application is vulnerable when all of the following are true: * the application uses Spring MVC * Spring Security 6.1.6+ or 6.2.1+ is on the classpath Typically, Spring Boot applications need the org.springframework.boot:spring-boot-starter-web and org.springframework.boot:spring-boot-starter-security dependencies to meet all conditions.

7.5
2024-01-22 CVE-2023-52354 Blitiri HTTP Request Smuggling vulnerability in Blitiri Chasquid

chasquid before 1.13 allows SMTP smuggling because LF-terminated lines are accepted.

7.5
2024-01-23 CVE-2024-23342 Tlsfuzzer Covert Timing Channel vulnerability in Tlsfuzzer Ecdsa

The `ecdsa` PyPI package is a pure Python implementation of ECC (Elliptic Curve Cryptography) with support for ECDSA (Elliptic Curve Digital Signature Algorithm), EdDSA (Edwards-curve Digital Signature Algorithm) and ECDH (Elliptic Curve Diffie-Hellman).

7.4
2024-01-27 CVE-2024-22147 Wpovernight SQL Injection vulnerability in Wpovernight Woocommerce PDF Invoices& Packing Slips

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WP Overnight PDF Invoices & Packing Slips for WooCommerce.This issue affects PDF Invoices & Packing Slips for WooCommerce: from n/a through 3.7.5.

7.2
2024-01-26 CVE-2024-20263 Cisco Unspecified vulnerability in Cisco products

A vulnerability with the access control list (ACL) management within a stacked switch configuration of Cisco Business 250 Series Smart Switches and Business 350 Series Managed Switches could allow an unauthenticated, remote attacker to bypass protection offered by a configured ACL on an affected device.

7.2
2024-01-26 CVE-2024-0918 Trendnet OS Command Injection vulnerability in Trendnet Tew-800Mb Firmware 1.0.1.0

A vulnerability was found in TRENDnet TEW-800MB 1.0.1.0 and classified as critical.

7.2
2024-01-26 CVE-2024-0919 Trendnet Command Injection vulnerability in Trendnet Tew-815Dap Firmware 1.0.2.0

A vulnerability was found in TRENDnet TEW-815DAP 1.0.2.0.

7.2
2024-01-26 CVE-2024-0920 Trendnet Command Injection vulnerability in Trendnet Tew-822Dre Firmware 1.03B02

A vulnerability was found in TRENDnet TEW-822DRE 1.03B02.

7.2
2024-01-25 CVE-2024-24399 Lepton CMS Unrestricted Upload of File with Dangerous Type vulnerability in Lepton-Cms Leptoncms 7.0.0

An arbitrary file upload vulnerability in LEPTON v7.0.0 allows authenticated attackers to execute arbitrary PHP code by uploading this code to the backend/languages/index.php languages area.

7.2
2024-01-24 CVE-2023-24676 Processwire Unspecified vulnerability in Processwire 3.0.210

An issue found in ProcessWire 3.0.210 allows attackers to execute arbitrary code and install a reverse shell via the download_zip_url parameter when installing a new module.

7.2
2024-01-24 CVE-2024-22135 Webtoffee Unrestricted Upload of File with Dangerous Type vulnerability in Webtoffee Order Export & Order Import for Woocommerce

Unrestricted Upload of File with Dangerous Type vulnerability in WebToffee Order Export & Order Import for WooCommerce.This issue affects Order Export & Order Import for WooCommerce: from n/a through 2.4.3.

7.2
2024-01-24 CVE-2024-22152 Webtoffee Unrestricted Upload of File with Dangerous Type vulnerability in Webtoffee Product Import Export for Woocommerce

Unrestricted Upload of File with Dangerous Type vulnerability in WebToffee Product Import Export for WooCommerce.This issue affects Product Import Export for WooCommerce: from n/a through 2.3.7.

7.2
2024-01-24 CVE-2023-31037 Nvidia OS Command Injection vulnerability in Nvidia Bluefield BMC

NVIDIA Bluefield 2 and Bluefield 3 DPU BMC contains a vulnerability in ipmitool, where a root user may cause code injection by a network call.

7.2
2024-01-22 CVE-2023-7082 Soflyy Unspecified vulnerability in Soflyy Export ANY Wordpress Data to Xml/Csv

The Import any XML or CSV File to WordPress plugin before 3.7.3 accepts all zip files and automatically extracts the zip file into a publicly accessible directory without sufficiently validating the extracted file type.

7.2
2024-01-26 CVE-2023-6291 Redhat Open Redirect vulnerability in Redhat products

A flaw was found in the redirect_uri validation logic in Keycloak.

7.1
2024-01-24 CVE-2023-44281 Dell Unspecified vulnerability in Dell Pair

Dell Pair Installer version prior to 1.2.1 contains an elevation of privilege vulnerability.

7.1
2024-01-23 CVE-2023-52331 Trendmicro Server-Side Request Forgery (SSRF) vulnerability in Trendmicro Apex Central 2019

A post-authenticated server-side request forgery (SSRF) vulnerability in Trend Micro Apex Central could allow an attacker to interact with internal or local services directly. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.

7.1
2024-01-22 CVE-2024-0775 Linux
Redhat
Use After Free vulnerability in multiple products

A use-after-free flaw was found in the __ext4_remount in fs/ext4/super.c in ext4 in the Linux kernel.

7.1
2024-01-23 CVE-2023-51043 Linux Use After Free vulnerability in Linux Kernel

In the Linux kernel before 6.4.5, drivers/gpu/drm/drm_atomic.c has a use-after-free during a race condition between a nonblocking atomic commit and a driver unload.

7.0

241 Medium Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2024-01-24 CVE-2024-22366 Yamaha OS Command Injection vulnerability in Yamaha products

Active debug code exists in Yamaha wireless LAN access point devices.

6.8
2024-01-24 CVE-2024-22372 Elecom OS Command Injection vulnerability in Elecom products

OS command injection vulnerability in ELECOM wireless LAN routers allows a network-adjacent attacker with an administrative privilege to execute arbitrary OS commands by sending a specially crafted request to the product.

6.8
2024-01-27 CVE-2024-23506 Instawp Unspecified vulnerability in Instawp Connect

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in InstaWP Team InstaWP Connect – 1-click WP Staging & Migration.This issue affects InstaWP Connect – 1-click WP Staging & Migration: from n/a through 0.1.0.9.

6.5
2024-01-26 CVE-2024-23820 Openfga Memory Leak vulnerability in Openfga

OpenFGA, an authorization/permission engine, is vulnerable to a denial of service attack in versions prior to 1.4.3.

6.5
2024-01-26 CVE-2023-6159 Gitlab Unspecified vulnerability in Gitlab

An issue has been discovered in GitLab CE/EE affecting all versions from 12.7 prior to 16.6.6, 16.7 prior to 16.7.4, and 16.8 prior to 16.8.1 It was possible for an attacker to trigger a Regular Expression Denial of Service via a `Cargo.toml` containing maliciously crafted input.

6.5
2024-01-25 CVE-2023-41474 Ivanti Path Traversal vulnerability in Ivanti Avalanche 6.3.4.153

Directory Traversal vulnerability in Ivanti Avalanche 6.3.4.153 allows a remote authenticated attacker to obtain sensitive information via the javax.faces.resource component.

6.5
2024-01-25 CVE-2024-22432 Dell Insufficiently Protected Credentials vulnerability in Dell Networker

Networker 19.9 and all prior versions contains a Plain-text Password stored in temporary config file during backup duration in NMDA MySQL Database backups.

6.5
2024-01-24 CVE-2024-23649 Join Lemmy Unspecified vulnerability in Join-Lemmy Lemmy

Lemmy is a link aggregator and forum for the fediverse.

6.5
2024-01-24 CVE-2024-23899 Jenkins Unspecified vulnerability in Jenkins GIT Server 99.Va0826Abcdfad

Jenkins Git server Plugin 99.va_0826a_b_cdfa_d and earlier does not disable a feature of its command parser that replaces an '@' character followed by a file path in an argument with the file's contents, allowing attackers with Overall/Read permission to read content from arbitrary files on the Jenkins controller file system.

6.5
2024-01-24 CVE-2024-23901 Jenkins Unspecified vulnerability in Jenkins Github Branch Source

Jenkins GitLab Branch Source Plugin 684.vea_fa_7c1e2fe3 and earlier unconditionally discovers projects that are shared with the configured owner group, allowing attackers to configure and share a project, resulting in a crafted Pipeline being built by Jenkins during the next scan of the group.

6.5
2024-01-24 CVE-2023-50944 Apache Missing Authorization vulnerability in Apache Airflow

Apache Airflow, versions before 2.8.1, have a vulnerability that allows an authenticated user to access the source code of a DAG to which they don't have access. This vulnerability is considered low since it requires an authenticated user to exploit it.

6.5
2024-01-24 CVE-2023-51702 Apache Cleartext Storage of Sensitive Information vulnerability in Apache Airflow and Airflow Cncf Kubernetes

Since version 5.2.0, when using deferrable mode with the path of a Kubernetes configuration file for authentication, the Airflow worker serializes this configuration file as a dictionary and sends it to the triggerer by storing it in metadata without any encryption.

6.5
2024-01-24 CVE-2024-22134 Renzojohnson Server-Side Request Forgery (SSRF) vulnerability in Renzojohnson Contact Form 7 Extension for Mailchimp 0.5.70

Server-Side Request Forgery (SSRF) vulnerability in Renzo Johnson Contact Form 7 Extension For Mailchimp.This issue affects Contact Form 7 Extension For Mailchimp: from n/a through 0.5.70.

6.5
2024-01-24 CVE-2024-0814 Google
Fedoraproject
Origin Validation Error vulnerability in multiple products

Incorrect security UI in Payments in Google Chrome prior to 121.0.6167.85 allowed a remote attacker to potentially spoof security UI via a crafted HTML page.

6.5
2024-01-24 CVE-2024-23638 Squid Cache Operation on a Resource after Expiration or Release vulnerability in Squid-Cache Squid

Squid is a caching proxy for the Web.

6.5
2024-01-23 CVE-2023-35836 Solax Unspecified vulnerability in Solax Pocket Wifi 3 Firmware 3.0.0/3.009.0320230504

An issue was discovered in SolaX Pocket WiFi 3 through 3.001.02.

6.5
2024-01-23 CVE-2024-0741 Mozilla
Debian
Out-of-bounds Write vulnerability in multiple products

An out of bounds write in ANGLE could have allowed an attacker to corrupt memory leading to a potentially exploitable crash.

6.5
2024-01-23 CVE-2024-0746 Mozilla
Debian
A Linux user opening the print preview dialog could have caused the browser to crash.
6.5
2024-01-23 CVE-2024-0747 Mozilla
Debian
When a parent page loaded a child in an iframe with `unsafe-inline`, the parent Content Security Policy could have overridden the child Content Security Policy.
6.5
2024-01-23 CVE-2024-0752 Mozilla Use After Free vulnerability in Mozilla Firefox

A use-after-free crash could have occurred on macOS if a Firefox update were being applied on a very busy system.

6.5
2024-01-23 CVE-2024-0753 Mozilla
Debian
In specific HSTS configurations an attacker could have bypassed HSTS on a subdomain.
6.5
2024-01-23 CVE-2024-0754 Mozilla Unspecified vulnerability in Mozilla Firefox

Some WASM source files could have caused a crash when loaded in devtools.

6.5
2024-01-23 CVE-2024-23206 Apple Unspecified vulnerability in Apple products

An access issue was addressed with improved access restrictions.

6.5
2024-01-22 CVE-2024-23339 Elijahharry Unspecified vulnerability in Elijahharry Hoolock 2.0.0/2.1.0/2.2.0

hoolock is a suite of lightweight utilities designed to maintain a small footprint when bundled.

6.5
2024-01-22 CVE-2023-47141 IBM Unspecified vulnerability in IBM DB2

IIBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.5 could allow an authenticated user with CONNECT privileges to cause a denial of service using a specially crafted query.

6.5
2024-01-22 CVE-2024-23675 Splunk Incorrect Authorization vulnerability in Splunk Cloud and Splunk

In Splunk Enterprise versions below 9.0.8 and 9.1.3, Splunk app key value store (KV Store) improperly handles permissions for users that use the REST application programming interface (API).

6.5
2024-01-22 CVE-2023-27859 IBM Unspecified vulnerability in IBM DB2

IBM Db2 10.1, 10.5, and 11.1 could allow a remote user to execute arbitrary code caused by installing like named jar files across multiple databases.

6.5
2024-01-22 CVE-2023-47158 IBM Unspecified vulnerability in IBM DB2

IBM DB2 for Linux, UNIX and Windows (includes Db2 Connect Server) 10.5, 11.1 and 11.5 could allow an authenticated user with CONNECT privileges to cause a denial of service using a specially crafted query.

6.5
2024-01-22 CVE-2023-47747 IBM Unspecified vulnerability in IBM DB2

IBM DB2 for Linux, UNIX and Windows (includes Db2 Connect Server) 10.1, 10.5, and 11.1 could allow an authenticated user with CONNECT privileges to cause a denial of service using a specially crafted query.

6.5
2024-01-22 CVE-2023-47746 IBM Unspecified vulnerability in IBM DB2

IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 10.5, 11.1, and 11.5 could allow an authenticated user with CONNECT privileges to cause a denial of service using a specially crafted query.

6.5
2024-01-22 CVE-2023-50308 IBM Unspecified vulnerability in IBM DB2

IBM Db2 for Linux, UNIX and Windows (includes DB2 Connect Server) 11.5 under certain circumstances could allow an authenticated user to the database to cause a denial of service when a statement is run on columnar tables.

6.5
2024-01-22 CVE-2023-44395 Autolabproject Path Traversal vulnerability in Autolabproject Autolab

Autolab is a course management service that enables instructors to offer autograded programming assignments to their students over the Web.

6.5
2024-01-27 CVE-2024-0667 10Web Cross-Site Request Forgery (CSRF) vulnerability in 10Web Form Maker

The Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.15.21.

6.3
2024-01-23 CVE-2023-42887 Apple Unspecified vulnerability in Apple Macos

An access issue was addressed with additional sandbox restrictions.

6.3
2024-01-23 CVE-2024-23219 Apple Improper Authentication vulnerability in Apple Ipados

The issue was addressed with improved authentication.

6.2
2024-01-23 CVE-2024-23223 Apple Unspecified vulnerability in Apple products

A privacy issue was addressed with improved handling of files.

6.2
2024-01-26 CVE-2024-0948 Netbox Cross-site Scripting vulnerability in Netbox

** DISPUTED ** A vulnerability, which was classified as problematic, has been found in NetBox up to 3.7.0.

6.1
2024-01-26 CVE-2024-22550 Shopsite Unrestricted Upload of File with Dangerous Type vulnerability in Shopsite 14.0

An arbitrary file upload vulnerability in the component /alsdemo/ss/mediam.cgi of ShopSite v14.0 allows attackers to execute arbitrary code via uploading a crafted SVG file.

6.1
2024-01-26 CVE-2024-22551 Ushainformatique Cross-site Scripting vulnerability in Ushainformatique Whatacart 2.0.7

WhatACart v2.0.7 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the component /site/default/search.

6.1
2024-01-26 CVE-2024-23890 Ajaysharma Cross-site Scripting vulnerability in Ajaysharma Cups Easy 1.0

A vulnerability has been reported in Cups Easy (Purchase & Inventory), version 1.0, whereby user-controlled inputs are not sufficiently encoded, resulting in a Cross-Site Scripting (XSS) vulnerability via /cupseasylive/itempopup.php, in the description parameter.

6.1
2024-01-26 CVE-2024-23891 Ajaysharma Cross-site Scripting vulnerability in Ajaysharma Cups Easy 1.0

A vulnerability has been reported in Cups Easy (Purchase & Inventory), version 1.0, whereby user-controlled inputs are not sufficiently encoded, resulting in a Cross-Site Scripting (XSS) vulnerability via /cupseasylive/itemcreate.php, in the itemid parameter.

6.1
2024-01-26 CVE-2024-23892 Ajaysharma Cross-site Scripting vulnerability in Ajaysharma Cups Easy 1.0

A vulnerability has been reported in Cups Easy (Purchase & Inventory), version 1.0, whereby user-controlled inputs are not sufficiently encoded, resulting in a Cross-Site Scripting (XSS) vulnerability via /cupseasylive/costcentercreate.php, in the costcenterid parameter.

6.1
2024-01-26 CVE-2024-23893 Ajaysharma Cross-site Scripting vulnerability in Ajaysharma Cups Easy 1.0

A vulnerability has been reported in Cups Easy (Purchase & Inventory), version 1.0, whereby user-controlled inputs are not sufficiently encoded, resulting in a Cross-Site Scripting (XSS) vulnerability via /cupseasylive/costcentermodify.php, in the costcenterid parameter.

6.1
2024-01-26 CVE-2024-23894 Ajaysharma Cross-site Scripting vulnerability in Ajaysharma Cups Easy 1.0

A vulnerability has been reported in Cups Easy (Purchase & Inventory), version 1.0, whereby user-controlled inputs are not sufficiently encoded, resulting in a Cross-Site Scripting (XSS) vulnerability via /cupseasylive/stockissuancecreate.php, in the issuancedate parameter.

6.1
2024-01-26 CVE-2024-23896 Ajaysharma Cross-site Scripting vulnerability in Ajaysharma Cups Easy 1.0

A vulnerability has been reported in Cups Easy (Purchase & Inventory), version 1.0, whereby user-controlled inputs are not sufficiently encoded, resulting in a Cross-Site Scripting (XSS) vulnerability via /cupseasylive/stock.php, in the batchno parameter.

6.1
2024-01-26 CVE-2024-23863 Ajaysharma Cross-site Scripting vulnerability in Ajaysharma Cups Easy 1.0

A vulnerability has been reported in Cups Easy (Purchase & Inventory), version 1.0, whereby user-controlled inputs are not sufficiently encoded, resulting in a Cross-Site Scripting (XSS) vulnerability via /cupseasylive/taxstructuredisplay.php, in the description parameter.

6.1
2024-01-26 CVE-2024-23864 Ajaysharma Cross-site Scripting vulnerability in Ajaysharma Cups Easy 1.0

A vulnerability has been reported in Cups Easy (Purchase & Inventory), version 1.0, whereby user-controlled inputs are not sufficiently encoded, resulting in a Cross-Site Scripting (XSS) vulnerability via /cupseasylive/countrylist.php, in the description parameter.

6.1
2024-01-26 CVE-2024-23865 Ajaysharma Cross-site Scripting vulnerability in Ajaysharma Cups Easy 1.0

A vulnerability has been reported in Cups Easy (Purchase & Inventory), version 1.0, whereby user-controlled inputs are not sufficiently encoded, resulting in a Cross-Site Scripting (XSS) vulnerability via /cupseasylive/taxstructurelist.php, in the description parameter.

6.1
2024-01-26 CVE-2024-23866 Ajaysharma Cross-site Scripting vulnerability in Ajaysharma Cups Easy 1.0

A vulnerability has been reported in Cups Easy (Purchase & Inventory), version 1.0, whereby user-controlled inputs are not sufficiently encoded, resulting in a Cross-Site Scripting (XSS) vulnerability via /cupseasylive/countrycreate.php, in the countryid parameter.

6.1
2024-01-26 CVE-2024-23867 Ajaysharma Cross-site Scripting vulnerability in Ajaysharma Cups Easy 1.0

A vulnerability has been reported in Cups Easy (Purchase & Inventory), version 1.0, whereby user-controlled inputs are not sufficiently encoded, resulting in a Cross-Site Scripting (XSS) vulnerability via /cupseasylive/statecreate.php, in the stateid parameter.

6.1
2024-01-26 CVE-2024-23868 Ajaysharma Cross-site Scripting vulnerability in Ajaysharma Cups Easy 1.0

A vulnerability has been reported in Cups Easy (Purchase & Inventory), version 1.0, whereby user-controlled inputs are not sufficiently encoded, resulting in a Cross-Site Scripting (XSS) vulnerability via /cupseasylive/grnlist.php, in the deleted parameter.

6.1
2024-01-26 CVE-2024-23869 Ajaysharma Cross-site Scripting vulnerability in Ajaysharma Cups Easy 1.0

A vulnerability has been reported in Cups Easy (Purchase & Inventory), version 1.0, whereby user-controlled inputs are not sufficiently encoded, resulting in a Cross-Site Scripting (XSS) vulnerability via /cupseasylive/stockissuanceprint.php, in the issuanceno parameter.

6.1
2024-01-26 CVE-2024-23870 Ajaysharma Cross-site Scripting vulnerability in Ajaysharma Cups Easy 1.0

A vulnerability has been reported in Cups Easy (Purchase & Inventory), version 1.0, whereby user-controlled inputs are not sufficiently encoded, resulting in a Cross-Site Scripting (XSS) vulnerability via /cupseasylive/stockissuancelist.php, in the delete parameter.

6.1
2024-01-26 CVE-2024-23871 Ajaysharma Cross-site Scripting vulnerability in Ajaysharma Cups Easy 1.0

A vulnerability has been reported in Cups Easy (Purchase & Inventory), version 1.0, whereby user-controlled inputs are not sufficiently encoded, resulting in a Cross-Site Scripting (XSS) vulnerability via /cupseasylive/unitofmeasurementmodify.php, in the description parameter.

6.1
2024-01-26 CVE-2024-23872 Ajaysharma Cross-site Scripting vulnerability in Ajaysharma Cups Easy 1.0

A vulnerability has been reported in Cups Easy (Purchase & Inventory), version 1.0, whereby user-controlled inputs are not sufficiently encoded, resulting in a Cross-Site Scripting (XSS) vulnerability via /cupseasylive/locationmodify.php, in the description parameter.

6.1
2024-01-26 CVE-2024-23873 Ajaysharma Cross-site Scripting vulnerability in Ajaysharma Cups Easy 1.0

A vulnerability has been reported in Cups Easy (Purchase & Inventory), version 1.0, whereby user-controlled inputs are not sufficiently encoded, resulting in a Cross-Site Scripting (XSS) vulnerability via /cupseasylive/currencymodify.php, in the currencyid parameter.

6.1
2024-01-26 CVE-2024-23874 Ajaysharma Cross-site Scripting vulnerability in Ajaysharma Cups Easy 1.0

A vulnerability has been reported in Cups Easy (Purchase & Inventory), version 1.0, whereby user-controlled inputs are not sufficiently encoded, resulting in a Cross-Site Scripting (XSS) vulnerability via /cupseasylive/companymodify.php, in the address1 parameter.

6.1
2024-01-26 CVE-2024-23875 Ajaysharma Cross-site Scripting vulnerability in Ajaysharma Cups Easy 1.0

A vulnerability has been reported in Cups Easy (Purchase & Inventory), version 1.0, whereby user-controlled inputs are not sufficiently encoded, resulting in a Cross-Site Scripting (XSS) vulnerability via /cupseasylive/stockissuancedisplay.php, in the issuanceno parameter.

6.1
2024-01-26 CVE-2024-23876 Ajaysharma Cross-site Scripting vulnerability in Ajaysharma Cups Easy 1.0

A vulnerability has been reported in Cups Easy (Purchase & Inventory), version 1.0, whereby user-controlled inputs are not sufficiently encoded, resulting in a Cross-Site Scripting (XSS) vulnerability via /cupseasylive/taxstructurecreate.php, in the description parameter.

6.1
2024-01-26 CVE-2024-23877 Ajaysharma Cross-site Scripting vulnerability in Ajaysharma Cups Easy 1.0

A vulnerability has been reported in Cups Easy (Purchase & Inventory), version 1.0, whereby user-controlled inputs are not sufficiently encoded, resulting in a Cross-Site Scripting (XSS) vulnerability via /cupseasylive/currencycreate.php, in the currencyid parameter.

6.1
2024-01-26 CVE-2024-23878 Ajaysharma Cross-site Scripting vulnerability in Ajaysharma Cups Easy 1.0

A vulnerability has been reported in Cups Easy (Purchase & Inventory), version 1.0, whereby user-controlled inputs are not sufficiently encoded, resulting in a Cross-Site Scripting (XSS) vulnerability via /cupseasylive/grnprint.php, in the grnno parameter.

6.1
2024-01-26 CVE-2024-23879 Ajaysharma Cross-site Scripting vulnerability in Ajaysharma Cups Easy 1.0

A vulnerability has been reported in Cups Easy (Purchase & Inventory), version 1.0, whereby user-controlled inputs are not sufficiently encoded, resulting in a Cross-Site Scripting (XSS) vulnerability via /cupseasylive/statemodify.php, in the description parameter.

6.1
2024-01-26 CVE-2024-23880 Ajaysharma Cross-site Scripting vulnerability in Ajaysharma Cups Easy 1.0

A vulnerability has been reported in Cups Easy (Purchase & Inventory), version 1.0, whereby user-controlled inputs are not sufficiently encoded, resulting in a Cross-Site Scripting (XSS) vulnerability via /cupseasylive/taxcodelist.php, in the description parameter.

6.1
2024-01-26 CVE-2024-23881 Ajaysharma Cross-site Scripting vulnerability in Ajaysharma Cups Easy 1.0

A vulnerability has been reported in Cups Easy (Purchase & Inventory), version 1.0, whereby user-controlled inputs are not sufficiently encoded, resulting in a Cross-Site Scripting (XSS) vulnerability via /cupseasylive/statelist.php, in the description parameter.

6.1
2024-01-26 CVE-2024-23882 Ajaysharma Cross-site Scripting vulnerability in Ajaysharma Cups Easy 1.0

A vulnerability has been reported in Cups Easy (Purchase & Inventory), version 1.0, whereby user-controlled inputs are not sufficiently encoded, resulting in a Cross-Site Scripting (XSS) vulnerability via /cupseasylive/taxcodecreate.php, in the taxcodeid parameter.

6.1
2024-01-26 CVE-2024-23883 Ajaysharma Cross-site Scripting vulnerability in Ajaysharma Cups Easy 1.0

A vulnerability has been reported in Cups Easy (Purchase & Inventory), version 1.0, whereby user-controlled inputs are not sufficiently encoded, resulting in a Cross-Site Scripting (XSS) vulnerability via /cupseasylive/taxstructuremodify.php, in the description parameter.

6.1
2024-01-26 CVE-2024-23884 Ajaysharma Cross-site Scripting vulnerability in Ajaysharma Cups Easy 1.0

A vulnerability has been reported in Cups Easy (Purchase & Inventory), version 1.0, whereby user-controlled inputs are not sufficiently encoded, resulting in a Cross-Site Scripting (XSS) vulnerability via /cupseasylive/grnmodify.php, in the grndate parameter.

6.1
2024-01-26 CVE-2024-23885 Ajaysharma Cross-site Scripting vulnerability in Ajaysharma Cups Easy 1.0

A vulnerability has been reported in Cups Easy (Purchase & Inventory), version 1.0, whereby user-controlled inputs are not sufficiently encoded, resulting in a Cross-Site Scripting (XSS) vulnerability via /cupseasylive/countrymodify.php, in the countryid parameter.

6.1
2024-01-26 CVE-2024-23886 Ajaysharma Cross-site Scripting vulnerability in Ajaysharma Cups Easy 1.0

A vulnerability has been reported in Cups Easy (Purchase & Inventory), version 1.0, whereby user-controlled inputs are not sufficiently encoded, resulting in a Cross-Site Scripting (XSS) vulnerability via /cupseasylive/itemmodify.php, in the bincardinfo parameter.

6.1
2024-01-26 CVE-2024-23887 Ajaysharma Cross-site Scripting vulnerability in Ajaysharma Cups Easy 1.0

A vulnerability has been reported in Cups Easy (Purchase & Inventory), version 1.0, whereby user-controlled inputs are not sufficiently encoded, resulting in a Cross-Site Scripting (XSS) vulnerability via /cupseasylive/grncreate.php, in the grndate parameter.

6.1
2024-01-26 CVE-2024-23888 Ajaysharma Cross-site Scripting vulnerability in Ajaysharma Cups Easy 1.0

A vulnerability has been reported in Cups Easy (Purchase & Inventory), version 1.0, whereby user-controlled inputs are not sufficiently encoded, resulting in a Cross-Site Scripting (XSS) vulnerability via /cupseasylive/stocktransactionslist.php, in the itemidy parameter.

6.1
2024-01-26 CVE-2024-23889 Ajaysharma Cross-site Scripting vulnerability in Ajaysharma Cups Easy 1.0

A vulnerability has been reported in Cups Easy (Purchase & Inventory), version 1.0, whereby user-controlled inputs are not sufficiently encoded, resulting in a Cross-Site Scripting (XSS) vulnerability via /cupseasylive/itemgroupcreate.php, in the itemgroupid parameter.

6.1
2024-01-26 CVE-2024-23856 Ajaysharma Cross-site Scripting vulnerability in Ajaysharma Cups Easy 1.0

A vulnerability has been reported in Cups Easy (Purchase & Inventory), version 1.0, whereby user-controlled inputs are not sufficiently encoded, resulting in a Cross-Site Scripting (XSS) vulnerability via /cupseasylive/itemlist.php, in the description parameter.

6.1
2024-01-26 CVE-2024-23857 Ajaysharma Cross-site Scripting vulnerability in Ajaysharma Cups Easy 1.0

A vulnerability has been reported in Cups Easy (Purchase & Inventory), version 1.0, whereby user-controlled inputs are not sufficiently encoded, resulting in a Cross-Site Scripting (XSS) vulnerability via /cupseasylive/grnlinecreate.php, in the batchno parameter.

6.1
2024-01-26 CVE-2024-23858 Ajaysharma Cross-site Scripting vulnerability in Ajaysharma Cups Easy 1.0

A vulnerability has been reported in Cups Easy (Purchase & Inventory), version 1.0, whereby user-controlled inputs are not sufficiently encoded, resulting in a Cross-Site Scripting (XSS) vulnerability via /cupseasylive/stockissuancelinecreate.php, in the batchno parameter.

6.1
2024-01-26 CVE-2024-23859 Ajaysharma Cross-site Scripting vulnerability in Ajaysharma Cups Easy 1.0

A vulnerability has been reported in Cups Easy (Purchase & Inventory), version 1.0, whereby user-controlled inputs are not sufficiently encoded, resulting in a Cross-Site Scripting (XSS) vulnerability via /cupseasylive/taxstructurelinecreate.php, in the flatamount parameter.

6.1
2024-01-26 CVE-2024-23860 Ajaysharma Cross-site Scripting vulnerability in Ajaysharma Cups Easy 1.0

A vulnerability has been reported in Cups Easy (Purchase & Inventory), version 1.0, whereby user-controlled inputs are not sufficiently encoded, resulting in a Cross-Site Scripting (XSS) vulnerability via /cupseasylive/currencylist.php, in the description parameter.

6.1
2024-01-26 CVE-2024-23861 Ajaysharma Cross-site Scripting vulnerability in Ajaysharma Cups Easy 1.0

A vulnerability has been reported in Cups Easy (Purchase & Inventory), version 1.0, whereby user-controlled inputs are not sufficiently encoded, resulting in a Cross-Site Scripting (XSS) vulnerability via /cupseasylive/unitofmeasurementcreate.php, in the unitofmeasurementid parameter.

6.1
2024-01-26 CVE-2024-23862 Ajaysharma Cross-site Scripting vulnerability in Ajaysharma Cups Easy 1.0

A vulnerability has been reported in Cups Easy (Purchase & Inventory), version 1.0, whereby user-controlled inputs are not sufficiently encoded, resulting in a Cross-Site Scripting (XSS) vulnerability via /cupseasylive/grndisplay.php, in the grnno parameter.

6.1
2024-01-26 CVE-2024-23388 Mercari Missing Authorization vulnerability in Mercari 3.51.0/3.52.0/4.49.1

Improper authorization in handler for custom URL scheme issue in "Mercari" App for Android prior to version 5.78.0 allows a remote attacker to lead a user to access an arbitrary website via the vulnerable App.

6.1
2024-01-25 CVE-2024-21620 Juniper Cross-site Scripting vulnerability in Juniper Junos

An Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in J-Web of Juniper Networks Junos OS on SRX Series and EX Series allows an attacker to construct a URL that when visited by another user enables the attacker to execute commands with the target's permissions, including an administrator. A specific invocation of the emit_debug_note method in webauth_operation.php will echo back the data it receives. This issue affects Juniper Networks Junos OS on SRX Series and EX Series: * All versions earlier than 20.4R3-S10; * 21.2 versions earlier than 21.2R3-S8; * 21.4 versions earlier than 21.4R3-S6; * 22.1 versions earlier than 22.1R3-S5; * 22.2 versions earlier than 22.2R3-S3; * 22.3 versions earlier than 22.3R3-S2; * 22.4 versions earlier than 22.4R3-S1; * 23.2 versions earlier than 23.2R2; * 23.4 versions earlier than 23.4R2.

6.1
2024-01-25 CVE-2024-23055 Plone Unspecified vulnerability in Plone Docker Official Image 5.2.13

An issue in Plone Docker Official Image 5.2.13 (5221) open-source software allows for remote code execution via improper validation of input by the HOST headers.

6.1
2024-01-25 CVE-2024-22635 Webcalendar Project Cross-site Scripting vulnerability in Webcalendar Project Webcalendar 1.3.0

WebCalendar v1.3.0 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the component /WebCalendarvqsmnseug2/edit_entry.php.

6.1
2024-01-25 CVE-2024-22637 Formtools Cross-site Scripting vulnerability in Formtools Form Tools 3.1.1

Form Tools v3.1.1 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the component /form_builder/preview.php?form_id=2.

6.1
2024-01-25 CVE-2024-22639 Igalerie Cross-site Scripting vulnerability in Igalerie 3.0.22

iGalerie v3.0.22 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the Titre (Title) field in the editing interface.

6.1
2024-01-25 CVE-2024-23817 Dolibarr Cross-site Scripting vulnerability in Dolibarr Erp/Crm 18.0.4

Dolibarr is an enterprise resource planning (ERP) and customer relationship management (CRM) software package.

6.1
2024-01-25 CVE-2024-23855 Ajaysharma Cross-site Scripting vulnerability in Ajaysharma Cups Easy 1.0

A vulnerability has been reported in Cups Easy (Purchase & Inventory), version 1.0, whereby user-controlled inputs are not sufficiently encoded, resulting in a Cross-Site Scripting (XSS) vulnerability via /cupseasylive/taxcodemodify.php, in multiple parameters.

6.1
2024-01-25 CVE-2023-6282 Icehrm Cross-site Scripting vulnerability in Icehrm 23.0.0.Os

IceHrm 23.0.0.OS does not sufficiently encode user-controlled input, which creates a Cross-Site Scripting (XSS) vulnerability via /icehrm/app/fileupload_page.php, in multiple parameters.

6.1
2024-01-25 CVE-2023-33758 Splicecom Cross-site Scripting vulnerability in Splicecom Maximiser Soft PBX

Splicecom Maximiser Soft PBX v1.5 and before was discovered to contain a cross-site scripting (XSS) vulnerability via the CLIENT_NAME and DEVICE_GUID fields in the login component.

6.1
2024-01-24 CVE-2024-22725 Orthanc Server Cross-site Scripting vulnerability in Orthanc-Server Orthanc

Orthanc versions before 1.12.2 are affected by a reflected cross-site scripting (XSS) vulnerability.

6.1
2024-01-24 CVE-2023-6697 Wpgmaps Cross-site Scripting vulnerability in Wpgmaps WP GO Maps

The WP Go Maps (formerly WP Google Maps) plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the map id parameter in all versions up to, and including, 9.0.28 due to insufficient input sanitization and output escaping.

6.1
2024-01-24 CVE-2024-22308 Simple Membership Plugin Open Redirect vulnerability in Simple-Membership-Plugin Simple Membership

URL Redirection to Untrusted Site ('Open Redirect') vulnerability in smp7, wp.Insider Simple Membership.This issue affects Simple Membership: from n/a through 4.4.1.

6.1
2024-01-24 CVE-2024-0665 Marvinlabs Cross-site Scripting vulnerability in Marvinlabs WP Customer Area

The WP Customer Area plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'tab' parameter in all versions up to, and including, 8.2.1 due to insufficient input sanitization and output escaping.

6.1
2024-01-24 CVE-2024-23633 Humansignal Cross-site Scripting vulnerability in Humansignal Label Studio

Label Studio, an open source data labeling tool had a remote import feature allowed users to import data from a remote web source, that was downloaded and could be viewed on the website.

6.1
2024-01-23 CVE-2023-41176 Trendmicro Cross-site Scripting vulnerability in Trendmicro Mobile Security 9.8

Reflected cross-site scripting (XSS) vulnerabilities in Trend Micro Mobile Security (Enterprise) could allow an exploit against an authenticated victim that visits a malicious link provided by an attacker. Please note, this vulnerability is similar to, but not identical to, CVE-2023-41177.

6.1
2024-01-23 CVE-2023-41177 Trendmicro Cross-site Scripting vulnerability in Trendmicro Mobile Security 9.8

Reflected cross-site scripting (XSS) vulnerabilities in Trend Micro Mobile Security (Enterprise) could allow an exploit against an authenticated victim that visits a malicious link provided by an attacker. Please note, this vulnerability is similar to, but not identical to, CVE-2023-41178.

6.1
2024-01-23 CVE-2023-41178 Trendmicro Cross-site Scripting vulnerability in Trendmicro Mobile Security 9.8

Reflected cross-site scripting (XSS) vulnerabilities in Trend Micro Mobile Security (Enterprise) could allow an exploit against an authenticated victim that visits a malicious link provided by an attacker. Please note, this vulnerability is similar to, but not identical to, CVE-2023-41176.

6.1
2024-01-23 CVE-2023-52326 Trendmicro Cross-site Scripting vulnerability in Trendmicro Apex Central 2019

Certain dashboard widgets on Trend Micro Apex Central (on-premise) are vulnerable to cross-site scripting (XSS) attacks that may allow an attacker to achieve remote code execution on affected servers. Please note this vulnerability is similar, but not identical to CVE-2023-52327.

6.1
2024-01-23 CVE-2023-52327 Trendmicro Cross-site Scripting vulnerability in Trendmicro Apex Central 2019

Certain dashboard widgets on Trend Micro Apex Central (on-premise) are vulnerable to cross-site scripting (XSS) attacks that may allow an attacker to achieve remote code execution on affected servers. Please note this vulnerability is similar, but not identical to CVE-2023-52328.

6.1
2024-01-23 CVE-2023-52328 Trendmicro Cross-site Scripting vulnerability in Trendmicro Apex Central 2019

Certain dashboard widgets on Trend Micro Apex Central (on-premise) are vulnerable to cross-site scripting (XSS) attacks that may allow an attacker to achieve remote code execution on affected servers. Please note this vulnerability is similar, but not identical to CVE-2023-52329.

6.1
2024-01-23 CVE-2023-52329 Trendmicro Cross-site Scripting vulnerability in Trendmicro Apex Central 2019

Certain dashboard widgets on Trend Micro Apex Central (on-premise) are vulnerable to cross-site scripting (XSS) attacks that may allow an attacker to achieve remote code execution on affected servers. Please note this vulnerability is similar, but not identical to CVE-2023-52326.

6.1
2024-01-23 CVE-2023-52330 Trendmicro Cross-site Scripting vulnerability in Trendmicro Apex ONE

A cross-site scripting vulnerability in Trend Micro Apex Central could allow a remote attacker to execute arbitrary code on affected installations of Trend Micro Apex Central. Please note: user interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.

6.1
2024-01-23 CVE-2023-7238 Orthanc Server Cross-site Scripting vulnerability in Orthanc-Server Osimis web Viewer 1.4.2.09D9Eff4

A XSS payload can be uploaded as a DICOM study and when a user tries to view the infected study inside the Osimis WebViewer the XSS vulnerability gets triggered.

6.1
2024-01-23 CVE-2024-22497 Jfinalcms Project Cross-site Scripting vulnerability in Jfinalcms Project Jfinalcms 5.0.0

Cross Site Scripting (XSS) vulnerability in /admin/login password parameter in JFinalcms 5.0.0 allows attackers to run arbitrary code via crafted URL.

6.1
2024-01-23 CVE-2023-45889 Classlink Cross-site Scripting vulnerability in Classlink Oneclick 10.7/10.8

A Universal Cross Site Scripting (UXSS) vulnerability in ClassLink OneClick Extension through 10.8 allows remote attackers to inject JavaScript into any webpage.

6.1
2024-01-23 CVE-2024-22417 Benbusby Cross-site Scripting vulnerability in Benbusby Whoogle Search

Whoogle Search is a self-hosted metasearch engine.

6.1
2024-01-23 CVE-2024-23341 Ithuan Cross-site Scripting vulnerability in Ithuan Tuitse-Tsusin

TuiTse-TsuSin is a package for organizing the comparative corpus of Taiwanese Chinese characters and Roman characters, and extracting sentences of the Taiwanese Chinese characters and the Roman characters.

6.1
2024-01-23 CVE-2024-22490 Beetl BBS Project Cross-site Scripting vulnerability in Beetl-Bbs Project Beetl-Bbs 2.0

Cross Site Scripting (XSS) vulnerability in beetl-bbs 2.0 allows attackers to run arbitrary code via the /index keyword parameter.

6.1
2024-01-23 CVE-2024-22496 Jfinalcms Project Cross-site Scripting vulnerability in Jfinalcms Project Jfinalcms 5.0.0

Cross Site Scripting (XSS) vulnerability in JFinalcms 5.0.0 allows attackers to run arbitrary code via the /admin/login username parameter.

6.1
2024-01-23 CVE-2024-23181 Appleple Cross-site Scripting vulnerability in Appleple A-Blog CMS

Cross-site scripting vulnerability in a-blog cms Ver.3.1.x series versions prior to Ver.3.1.7, Ver.3.0.x series versions prior to Ver.3.0.29, Ver.2.11.x series versions prior to Ver.2.11.58, Ver.2.10.x series versions prior to Ver.2.10.50, and Ver.2.9.0 and earlier allows a remote unauthenticated attacker to execute an arbitrary script on the logged-in user's web browser.

6.1
2024-01-23 CVE-2024-0587 Ampforwp Cross-site Scripting vulnerability in Ampforwp Accelerated Mobile Pages

The AMP for WP – Accelerated Mobile Pages plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'disqus_name' parameter in all versions up to, and including, 1.0.92.1 due to insufficient input sanitization and output escaping on the executed JS file.

6.1
2024-01-22 CVE-2023-7170 Myeventon Cross-site Scripting vulnerability in Myeventon Rsvp Events

The EventON-RSVP WordPress plugin before 2.9.5 does not sanitise and escape some parameters before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin

6.1
2024-01-22 CVE-2023-7194 Meris WP Theme Project Cross-site Scripting vulnerability in Meris WP Theme Project Meris WP Theme

The Meris WordPress theme through 1.1.2 does not sanitise and escape some parameters before outputting them back in the page, leading to Reflected Cross-Site Scripting which could be used against high privilege users such as admin

6.1
2024-01-22 CVE-2024-0606 Mozilla Cross-site Scripting vulnerability in Mozilla Firefox Focus

An attacker could execute unauthorized script on a legitimate site through UXSS using window.open() by opening a javascript URI leading to unauthorized actions within the user's loaded webpage.

6.1
2024-01-22 CVE-2024-0782 Online Railway Reservation System Project Cross-site Scripting vulnerability in Online Railway Reservation System Project Online Railway Reservation System 1.0

A vulnerability has been found in CodeAstro Online Railway Reservation System 1.0 and classified as problematic.

6.1
2024-01-22 CVE-2024-0781 Martmbithi Open Redirect vulnerability in Martmbithi Internet Banking System 1.0

A vulnerability, which was classified as problematic, was found in CodeAstro Internet Banking System 1.0.

6.1
2024-01-22 CVE-2024-22113 Anglers NET Open Redirect vulnerability in Anglers-Net CGI An-Anlyzer 20190624/20231231

Open redirect vulnerability in Access analysis CGI An-Analyzer released in 2023 December 31 and earlier allows a remote unauthenticated attacker to redirect users to arbitrary websites and conduct phishing attacks via a specially crafted URL.

6.1
2024-01-25 CVE-2023-33757 Splicecom Improper Certificate Validation vulnerability in Splicecom Ipcs and Ipcs2

A lack of SSL certificate validation in Splicecom iPCS (iOS App) v1.3.4, iPCS2 (iOS App) v2.8 and before, and iPCS (Android App) v1.8.5 and before allows attackers to eavesdrop on communications via a man-in-the-middle attack.

5.9
2024-01-23 CVE-2024-23218 Apple Information Exposure Through Discrepancy vulnerability in Apple products

A timing side-channel issue was addressed with improvements to constant-time computation in cryptographic functions.

5.9
2024-01-22 CVE-2024-21484 Jsrsasign Project Information Exposure Through Discrepancy vulnerability in Jsrsasign Project Jsrsasign

Versions of the package jsrsasign before 11.0.0 are vulnerable to Observable Discrepancy via the RSA PKCS1.5 or RSAOAEP decryption process.

5.9
2024-01-23 CVE-2023-46889 Meross Cleartext Transmission of Sensitive Information vulnerability in Meross Msh30Q Firmware 4.5.23

Meross MSH30Q 4.5.23 is vulnerable to Cleartext Transmission of Sensitive Information.

5.7
2024-01-26 CVE-2023-29081 Flexera Incorrect Default Permissions vulnerability in Flexera Installshield

A vulnerability has been reported in Suite Setups built with versions prior to InstallShield 2023 R2.

5.5
2024-01-26 CVE-2024-0727 Openssl Unspecified vulnerability in Openssl

Issue summary: Processing a maliciously formatted PKCS12 file may lead OpenSSL to crash leading to a potential Denial of Service attack Impact summary: Applications loading files in the PKCS12 format from untrusted sources might terminate abruptly. A file in PKCS12 format can contain certificates and keys and may come from an untrusted source.

5.5
2024-01-25 CVE-2024-0886 Poikosoft Improper Resource Shutdown or Release vulnerability in Poikosoft EZ CD Audio Converter 8.0.7

A vulnerability classified as problematic was found in Poikosoft EZ CD Audio Converter 8.0.7.

5.5
2024-01-25 CVE-2024-22099 Linux NULL Pointer Dereference vulnerability in Linux Kernel 2.6.12

NULL Pointer Dereference vulnerability in Linux Linux kernel kernel on Linux, x86, ARM (net, bluetooth modules) allows Overflow Buffers.

5.5
2024-01-24 CVE-2024-21765 Cals ED XXE vulnerability in Cals-Ed products

Electronic Delivery Check System (Doboku) Ver.18.1.0 and earlier, Electronic Delivery Check System (Dentsu) Ver.12.1.0 and earlier, Electronic Delivery Check System (Kikai) Ver.10.1.0 and earlier, and Electronic delivery item Inspection Support SystemVer.4.0.31 and earlier improperly restrict XML external entity references (XXE).

5.5
2024-01-24 CVE-2024-21796 Dfeg XXE vulnerability in Dfeg Electronic Deliverables Creation Support Tool

Electronic Deliverables Creation Support Tool (Construction Edition) prior to Ver1.0.4 and Electronic Deliverables Creation Support Tool (Design & Survey Edition) prior to Ver1.0.4 improperly restrict XML external entity references (XXE).

5.5
2024-01-24 CVE-2024-22380 Maff XXE vulnerability in Maff Electronic Delivery Check System 14.0.001.002

Electronic Delivery Check System (Ministry of Agriculture, Forestry and Fisheries The Agriculture and Rural Development Project Version) March, Heisei 31 era edition Ver.14.0.001.002 and earlier improperly restricts XML external entity references (XXE).

5.5
2024-01-24 CVE-2022-4964 Canonical Incorrect Default Permissions vulnerability in Canonical Ubuntu Pipewire-Pulse

Ubuntu's pipewire-pulse in snap grants microphone access even when the snap interface for audio-record is not set.

5.5
2024-01-24 CVE-2024-23453 Spooncast Use of Hard-coded Credentials vulnerability in Spooncast Spoon 7.11.1/8.6.0

Android Spoon application version 7.11.1 to 8.6.0 uses hard-coded credentials, which may allow a local attacker to retrieve the hard-coded API key when the application binary is reverse-engineered.

5.5
2024-01-23 CVE-2023-42144 Shelly Cleartext Transmission of Sensitive Information vulnerability in Shelly TRV Firmware 2.1.8

Cleartext Transmission during initial setup in Shelly TRV 20220811-15234 v.2.1.8 allows a local attacker to obtain the Wi-Fi password.

5.5
2024-01-23 CVE-2023-6573 HP Unspecified vulnerability in HP Oneview

HPE OneView may have a missing passphrase during restore.

5.5
2024-01-23 CVE-2023-46343 Linux NULL Pointer Dereference vulnerability in Linux Kernel

In the Linux kernel before 6.5.9, there is a NULL pointer dereference in send_acknowledge in net/nfc/nci/spi.c.

5.5
2024-01-23 CVE-2024-23848 Linux Use After Free vulnerability in Linux Kernel

In the Linux kernel through 6.7.1, there is a use-after-free in cec_queue_msg_fh, related to drivers/media/cec/core/cec-adap.c and drivers/media/cec/core/cec-api.c.

5.5
2024-01-23 CVE-2024-23849 Linux Off-by-one Error vulnerability in Linux Kernel

In rds_recv_track_latency in net/rds/af_rds.c in the Linux kernel through 6.7.1, there is an off-by-one error for an RDS_MSG_RX_DGRAM_TRACE_MAX comparison, resulting in out-of-bounds access.

5.5
2024-01-23 CVE-2024-23850 Linux Unspecified vulnerability in Linux Kernel

In btrfs_get_root_ref in fs/btrfs/disk-io.c in the Linux kernel through 6.7.1, there can be an assertion failure and crash because a subvolume can be read out too soon after its root item is inserted upon subvolume creation.

5.5
2024-01-23 CVE-2024-23851 Linux Unspecified vulnerability in Linux Kernel

copy_params in drivers/md/dm-ioctl.c in the Linux kernel through 6.7.1 can attempt to allocate more than INT_MAX bytes, and crash, because of a missing param_kernel->data_size check.

5.5
2024-01-23 CVE-2023-40528 Apple Unspecified vulnerability in Apple products

This issue was addressed by removing the vulnerable code.

5.5
2024-01-23 CVE-2023-42888 Apple Unspecified vulnerability in Apple products

The issue was addressed with improved checks.

5.5
2024-01-23 CVE-2023-42935 Apple Unspecified vulnerability in Apple Macos

An authentication issue was addressed with improved state management.

5.5
2024-01-23 CVE-2023-42937 Apple Unspecified vulnerability in Apple products

A privacy issue was addressed with improved private data redaction for log entries.

5.5
2024-01-23 CVE-2024-23207 Apple Unspecified vulnerability in Apple products

This issue was addressed with improved redaction of sensitive information.

5.5
2024-01-23 CVE-2024-23215 Apple Unspecified vulnerability in Apple products

An issue was addressed with improved handling of temporary files.

5.5
2024-01-23 CVE-2024-23224 Apple Unspecified vulnerability in Apple Macos

The issue was addressed with improved checks.

5.5
2024-01-22 CVE-2024-0430 Iobit NULL Pointer Dereference vulnerability in Iobit Malware Fighter 11.0.0.1274

IObit Malware Fighter v11.0.0.1274 is vulnerable to a Denial of Service vulnerability by triggering the 0x8001E00C IOCTL code of the ImfHpRegFilter.sys driver.

5.5
2024-01-22 CVE-2024-23770 Unix4Lyfe Unspecified vulnerability in Unix4Lyfe Darkhttpd 1.13/1.131/1.14

darkhttpd through 1.15 allows local users to discover credentials (for --auth) by listing processes and their arguments.

5.5
2024-01-22 CVE-2024-0774 Taurisoft Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Taurisoft ANY Sound Recorder 2.93

A vulnerability was found in Any-Capture Any Sound Recorder 2.93.

5.5
2024-01-22 CVE-2024-0772 Nsasoft Out-of-bounds Write vulnerability in Nsasoft Sharealarmpro 2.1.4

A vulnerability was found in Nsasoft ShareAlarmPro 2.1.4 and classified as problematic.

5.5
2024-01-28 CVE-2024-23782 Appleple Cross-site Scripting vulnerability in Appleple A-Blog CMS

Cross-site scripting vulnerability exists in a-blog cms Ver.3.1.x series versions prior to Ver.3.1.7, Ver.3.0.x series versions prior to Ver.3.0.29, Ver.2.11.x series versions prior to Ver.2.11.58, Ver.2.10.x series versions prior to Ver.2.10.50, and Ver.2.9.0 and earlier versions.

5.4
2024-01-27 CVE-2023-48201 Sunlight CMS Cross-site Scripting vulnerability in Sunlight-Cms Sunlight CMS 8.0.1

Cross Site Scripting (XSS) vulnerability in Sunlight CMS v.8.0.1, allows remote authenticated attackers to execute arbitrary code and escalate privileges via a crafted script to the Content text editor component.

5.4
2024-01-27 CVE-2023-48202 Sunlight CMS Cross-site Scripting vulnerability in Sunlight-Cms Sunlight CMS 8.0.1

Cross-Site Scripting (XSS) vulnerability in Sunlight CMS 8.0.1 allows an authenticated low-privileged user to escalate privileges via a crafted SVG file in the File Manager component.

5.4
2024-01-27 CVE-2024-0958 Swapnilsahu Cross-site Scripting vulnerability in Swapnilsahu Stock Management System 1.0

A vulnerability was found in CodeAstro Stock Management System 1.0 and classified as problematic.

5.4
2024-01-27 CVE-2024-0824 Devscred Cross-site Scripting vulnerability in Devscred Exclusive Addons for Elementor

The Exclusive Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Link Anything functionality in all versions up to, and including, 2.6.8 due to insufficient input sanitization and output escaping.

5.4
2024-01-26 CVE-2023-48129 Linecorp Unspecified vulnerability in Linecorp Line 13.6.1

An issue in kimono-oldnew mini-app on Line v13.6.1 allows attackers to send crafted malicious notifications via leakage of the channel access token.

5.4
2024-01-26 CVE-2023-48126 Linecorp Unspecified vulnerability in Linecorp Line 13.6.1

An issue in Luxe Beauty Clinic mini-app on Line v13.6.1 allows attackers to send crafted malicious notifications via leakage of the channel access token.

5.4
2024-01-26 CVE-2023-48127 Linecorp Unspecified vulnerability in Linecorp Line 13.6.1

An issue in myGAKUYA mini-app on Line v13.6.1 allows attackers to send crafted malicious notifications via leakage of the channel access token.

5.4
2024-01-26 CVE-2023-48128 Linecorp Unspecified vulnerability in Linecorp Line 13.6.1

An issue in UNITED BOXING GYM mini-app on Line v13.6.1 allows attackers to send crafted malicious notifications via leakage of the channel access token.

5.4
2024-01-26 CVE-2023-48130 Linecorp Unspecified vulnerability in Linecorp Line 13.6.1

An issue in GINZA CAFE mini-app on Line v13.6.1 allows attackers to send crafted malicious notifications via leakage of the channel access token.

5.4
2024-01-26 CVE-2023-48131 Linecorp Unspecified vulnerability in Linecorp Line 13.6.1

An issue in CHIGASAKI BAKERY mini-app on Line v13.6.1 allows attackers to send crafted malicious notifications via leakage of the channel access token.

5.4
2024-01-26 CVE-2023-48132 Linecorp Unspecified vulnerability in Linecorp Line 13.6.1

An issue in kosei entertainment esportsstudioLegends mini-app on Line v13.6.1 allows attackers to send crafted malicious notifications via leakage of the channel access token.

5.4
2024-01-26 CVE-2023-48133 Linecorp Unspecified vulnerability in Linecorp Line 13.6.1

An issue in angel coffee mini-app on Line v13.6.1 allows attackers to send crafted malicious notifications via leakage of the channel access token.

5.4
2024-01-26 CVE-2023-48135 Linecorp Unspecified vulnerability in Linecorp Line 13.6.1

An issue in mimasaka_farm mini-app on Line v13.6.1 allows attackers to send crafted malicious notifications via leakage of the channel access token.

5.4
2024-01-26 CVE-2023-5933 Gitlab Cross-site Scripting vulnerability in Gitlab

An issue has been discovered in GitLab CE/EE affecting all versions after 13.7 before 16.6.6, 16.7 prior to 16.7.4, and 16.8 prior to 16.8.1.

5.4
2024-01-25 CVE-2024-0891 Hongmaple Cross-site Scripting vulnerability in Hongmaple Octopus 1.0

A vulnerability was found in hongmaple octopus 1.0.

5.4
2024-01-24 CVE-2024-23905 Jenkins Cross-site Scripting vulnerability in Jenkins RED HAT Dependency Analytics 0.7.0/0.7.1

Jenkins Red Hat Dependency Analytics Plugin 0.7.1 and earlier programmatically disables Content-Security-Policy protection for user-generated content in workspaces, archived artifacts, etc.

5.4
2024-01-24 CVE-2023-43988 Linecorp Unspecified vulnerability in Linecorp Line 13.6.1

An issue in nature fitness saijo mini-app on Line v13.6.1 allows attackers to send crafted malicious notifications via leakage of the channel access token.

5.4
2024-01-24 CVE-2023-43989 Linecorp Unspecified vulnerability in Linecorp Line 13.6.1

An issue in mokumoku chohu mini-app on Line v13.6.1 allows attackers to send crafted malicious notifications via leakage of the channel access token.

5.4
2024-01-24 CVE-2023-43990 Linecorp Unspecified vulnerability in Linecorp Line 13.6.1

An issue in cherub-hair mini-app on Line v13.6.1 allows attackers to send crafted malicious notifications via leakage of the channel access token.

5.4
2024-01-24 CVE-2023-43991 Linecorp Unspecified vulnerability in Linecorp Line 13.6.1

An issue in PRIMA CLINIC mini-app on Line v13.6.1 allows attackers to send crafted malicious notifications via leakage of the channel access token.

5.4
2024-01-24 CVE-2023-43992 Linecorp Unspecified vulnerability in Linecorp Line 13.6.1

An issue in STOCKMAN GROUP mini-app on Line v13.6.1 allows attackers to send crafted malicious notifications via leakage of the channel access token.

5.4
2024-01-24 CVE-2023-43993 Linecorp Unspecified vulnerability in Linecorp Line 13.6.1

An issue in smaregi_app_market mini-app on Line v13.6.1 allows attackers to send crafted malicious notifications via leakage of the channel access token.

5.4
2024-01-24 CVE-2023-43994 Linecorp Unspecified vulnerability in Linecorp Line 13.6.1

An issue in Cleaning_makotoya mini-app on Line v13.6.1 allows attackers to send crafted malicious notifications via leakage of the channel access token.

5.4
2024-01-24 CVE-2023-43995 Linecorp Unspecified vulnerability in Linecorp Line 13.6.1

An issue in picot.golf mini-app on Line v13.6.1 allows attackers to send crafted malicious notifications via leakage of the channel access token.

5.4
2024-01-24 CVE-2023-43996 Linecorp Unspecified vulnerability in Linecorp Line 13.6.1

An issue in Q co ltd mini-app on Line v13.6.1 allows attackers to send crafted malicious notifications via leakage of the channel access token.

5.4
2024-01-24 CVE-2023-43997 Linecorp Unspecified vulnerability in Linecorp Line 13.6.1

An issue in Yoruichi hobby base mini-app on Line v13.6.1 allows attackers to send crafted malicious notifications via leakage of the channel access token.

5.4
2024-01-24 CVE-2023-43998 Linecorp Unspecified vulnerability in Linecorp Line 13.6.1

An issue in Books-futaba mini-app on Line v13.6.1 allows attackers to send crafted malicious notifications via leakage of the channel access token.

5.4
2024-01-24 CVE-2023-43999 Linecorp Unspecified vulnerability in Linecorp Line 13.6.1

An issue in COLORFUL_laundry mini-app on Line v13.6.1 allows attackers to send crafted malicious notifications via leakage of the channel access token.

5.4
2024-01-24 CVE-2023-44000 Linecorp Unspecified vulnerability in Linecorp Line 13.6.1

An issue in Otakara lapis totuka mini-app on Line v13.6.1 allows attackers to send crafted malicious notifications via leakage of the channel access token.

5.4
2024-01-24 CVE-2023-44001 Linecorp Unspecified vulnerability in Linecorp Line 13.6.1

An issue in Ailand clinic mini-app on Line v13.6.1 allows attackers to send crafted malicious notifications via leakage of the channel access token.

5.4
2024-01-24 CVE-2024-0854 Synology Open Redirect vulnerability in Synology Diskstation Manager

URL redirection to untrusted site ('Open Redirect') vulnerability in file access component in Synology DiskStation Manager (DSM) before 7.2.1-69057-2 allows remote authenticated users to conduct phishing attacks via unspecified vectors.

5.4
2024-01-23 CVE-2023-47115 Humansignal Cross-site Scripting vulnerability in Humansignal Label Studio

Label Studio is an a popular open source data labeling tool.

5.4
2024-01-23 CVE-2023-38624 Trendmicro Server-Side Request Forgery (SSRF) vulnerability in Trendmicro Apex Central 2019

A post-authenticated server-side request forgery (SSRF) vulnerability in Trend Micro Apex Central 2019 (lower than build 6481) could allow an attacker to interact with internal or local services directly. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. This is a similar, but not identical vulnerability as CVE-2023-38625 through CVE-2023-38627.

5.4
2024-01-23 CVE-2023-38625 Trendmicro Server-Side Request Forgery (SSRF) vulnerability in Trendmicro Apex Central 2019

A post-authenticated server-side request forgery (SSRF) vulnerability in Trend Micro Apex Central 2019 (lower than build 6481) could allow an attacker to interact with internal or local services directly. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. This is a similar, but not identical vulnerability as CVE-2023-38624.

5.4
2024-01-23 CVE-2023-38626 Trendmicro Server-Side Request Forgery (SSRF) vulnerability in Trendmicro Apex Central 2019

A post-authenticated server-side request forgery (SSRF) vulnerability in Trend Micro Apex Central 2019 (lower than build 6481) could allow an attacker to interact with internal or local services directly. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. This is a similar, but not identical vulnerability as CVE-2023-38625.

5.4
2024-01-23 CVE-2023-38627 Trendmicro Server-Side Request Forgery (SSRF) vulnerability in Trendmicro Apex Central 2019

A post-authenticated server-side request forgery (SSRF) vulnerability in Trend Micro Apex Central 2019 (lower than build 6481) could allow an attacker to interact with internal or local services directly. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. This is a similar, but not identical vulnerability as CVE-2023-38626.

5.4
2024-01-23 CVE-2023-42143 Shelly Improper Validation of Integrity Check Value vulnerability in Shelly TRV Firmware 2.1.8

Missing Integrity Check in Shelly TRV 20220811-152343/v2.1.8@5afc928c allows malicious users to create a backdoor by redirecting the device to an attacker-controlled machine which serves the manipulated firmware file.

5.4
2024-01-23 CVE-2023-49657 Apache Cross-site Scripting vulnerability in Apache Superset

A stored cross-site scripting (XSS) vulnerability exists in Apache Superset before 3.0.3. An authenticated attacker with create/update permissions on charts or dashboards could store a script or add a specific HTML snippet that would act as a stored XSS. For 2.X versions, users should change their config to include: TALISMAN_CONFIG = {     "content_security_policy": {         "base-uri": ["'self'"],         "default-src": ["'self'"],         "img-src": ["'self'", "blob:", "data:"],         "worker-src": ["'self'", "blob:"],         "connect-src": [             "'self'",             " https://api.mapbox.com" https://api.mapbox.com" ;,             " https://events.mapbox.com" https://events.mapbox.com" ;,         ],         "object-src": "'none'",         "style-src": [             "'self'",             "'unsafe-inline'",         ],         "script-src": ["'self'", "'strict-dynamic'"],     },     "content_security_policy_nonce_in": ["script-src"],     "force_https": False,     "session_cookie_secure": False, }

5.4
2024-01-23 CVE-2024-23183 Appleple Cross-site Scripting vulnerability in Appleple A-Blog CMS

Cross-site scripting vulnerability in a-blog cms Ver.3.1.x series versions prior to Ver.3.1.7, Ver.3.0.x series versions prior to Ver.3.0.29, Ver.2.11.x series versions prior to Ver.2.11.58, Ver.2.10.x series versions prior to Ver.2.10.50, and Ver.2.9.0 and earlier allows a remote authenticated attacker to execute an arbitrary script on the logged-in user's web browser.

5.4
2024-01-23 CVE-2024-23345 Networktocode Cross-site Scripting vulnerability in Networktocode Nautobot

Nautobot is a Network Source of Truth and Network Automation Platform built as a web application.

5.4
2024-01-22 CVE-2024-0776 PB CMS Project Cross-site Scripting vulnerability in Pb-Cms Project Pb-Cms 2.0

A vulnerability, which was classified as problematic, has been found in LinZhaoguan pb-cms 2.0.

5.4
2024-01-22 CVE-2024-0773 Martinmbithi Cross-site Scripting vulnerability in Martinmbithi Internet Banking System 1.0

A vulnerability classified as problematic was found in CodeAstro Internet Banking System 1.0.

5.4
2024-01-26 CVE-2024-0943 Totolink Insufficient Session Expiration vulnerability in Totolink N350Rt Firmware 9.3.5U.6255

A vulnerability was found in Totolink N350RT 9.3.5u.6255.

5.3
2024-01-26 CVE-2024-0944 Totolink Insufficient Session Expiration vulnerability in Totolink T8 Firmware 4.1.5Cu.83320220905

A vulnerability was found in Totolink T8 4.1.5cu.833_20220905.

5.3
2024-01-26 CVE-2023-5612 Gitlab Unspecified vulnerability in Gitlab

An issue has been discovered in GitLab affecting all versions before 16.6.6, 16.7 prior to 16.7.4, and 16.8 prior to 16.8.1.

5.3
2024-01-26 CVE-2024-21387 Microsoft Unspecified vulnerability in Microsoft Edge Chromium

Microsoft Edge for Android Spoofing Vulnerability

5.3
2024-01-25 CVE-2024-23655 Tuta Unspecified vulnerability in Tuta Tutanota

Tuta is an encrypted email service.

5.3
2024-01-25 CVE-2023-33760 Splicecom Improper Certificate Validation vulnerability in Splicecom Maximiser Soft PBX

SpliceCom Maximiser Soft PBX v1.5 and before was discovered to utilize a default SSL certificate.

5.3
2024-01-25 CVE-2024-0617 Quanticedgesolutions Missing Authorization vulnerability in Quanticedgesolutions Category Discount Woocommerce

The Category Discount Woocommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the wpcd_save_discount() function in all versions up to, and including, 4.12.

5.3
2024-01-25 CVE-2024-0624 Strangerstudios Cross-Site Request Forgery (CSRF) vulnerability in Strangerstudios Paid Memberships PRO

The Paid Memberships Pro – Content Restriction, User Registration, & Paid Subscriptions plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.12.7.

5.3
2024-01-24 CVE-2024-23903 Jenkins Incorrect Comparison vulnerability in Jenkins Github Branch Source

Jenkins GitLab Branch Source Plugin 684.vea_fa_7c1e2fe3 and earlier uses a non-constant time comparison function when checking whether the provided and expected webhook token are equal, potentially allowing attackers to use statistical methods to obtain a valid webhook token.

5.3
2024-01-23 CVE-2024-22204 Benbusby Path Traversal vulnerability in Benbusby Whoogle Search

Whoogle Search is a self-hosted metasearch engine.

5.3
2024-01-23 CVE-2024-23330 Tuta Server-Side Request Forgery (SSRF) vulnerability in Tuta Tutanota

Tuta is an encrypted email service.

5.3
2024-01-23 CVE-2023-44401 Silverstripe Incorrect Authorization vulnerability in Silverstripe Graphql

The Silverstripe CMS GraphQL Server serves Silverstripe data as GraphQL representations.

5.3
2024-01-22 CVE-2024-23340 Hono Path Traversal vulnerability in Hono Node-Server

@hono/node-server is an adapter that allows users to run Hono applications on Node.js.

5.3
2024-01-22 CVE-2024-23677 Splunk Information Exposure Through Log Files vulnerability in Splunk Cloud and Splunk

In Splunk Enterprise versions below 9.0.8, the Splunk RapidDiag utility discloses server responses from external applications in a log file.

5.3
2024-01-22 CVE-2023-6447 Metagauss Unspecified vulnerability in Metagauss Eventprime

The EventPrime WordPress plugin before 3.3.6 lacks authentication and authorization, allowing unauthenticated visitors to access private and password protected Events by guessing their numeric id/event name.

5.3
2024-01-27 CVE-2023-6482 Synaptics Use of Hard-coded Credentials vulnerability in Synaptics Fingerprint Driver 6.0.00.1111

Use of encryption key derived from static information in Synaptics Fingerprint Driver allows an attacker to set up a TLS session with the fingerprint sensor and send restricted commands to the fingerprint sensor. This may allow an attacker, who has physical access to the sensor, to enroll a fingerprint into the template database.

5.2
2024-01-27 CVE-2024-0697 Softaculous Path Traversal vulnerability in Softaculous Backuply

The Backuply – Backup, Restore, Migrate and Clone plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 1.2.3 via the node_id parameter in the backuply_get_jstree function.

4.9
2024-01-27 CVE-2024-0618 Fluentforms Cross-site Scripting vulnerability in Fluentforms Contact Form

The Contact Form Plugin – Fastest Contact Form Builder Plugin for WordPress by Fluent Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via imported form titles in all versions up to, and including, 5.1.5 due to insufficient input sanitization and output escaping.

4.8
2024-01-27 CVE-2023-6497 Tipsandtricks HQ Cross-site Scripting vulnerability in Tipsandtricks-Hq Wordpress Simple Paypal Shopping Cart

The WordPress Simple Shopping Cart plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the automatic redirect URL setting in all versions up to and including 4.7.1 due to insufficient input sanitization and output escaping.

4.8
2024-01-27 CVE-2024-0664 Mekshq Cross-site Scripting vulnerability in Mekshq Meks Smart Social Widget

The Meks Smart Social Widget plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Meks Smart Social Widget in all versions up to, and including, 1.6.3 due to insufficient input sanitization and output escaping.

4.8
2024-01-26 CVE-2024-20305 Cisco Cross-site Scripting vulnerability in Cisco Unity Connection

A vulnerability in the web-based management interface of Cisco Unity Connection could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface.

4.8
2024-01-25 CVE-2023-52046 Webmin Cross-site Scripting vulnerability in Webmin

Cross Site Scripting vulnerability (XSS) in webmin v.2.105 and earlier allows a remote attacker to execute arbitrary code via a crafted payload to the "Execute cron job as" tab Input field.

4.8
2024-01-25 CVE-2024-0625 Wpfront Cross-site Scripting vulnerability in Wpfront Notification BAR

The WPFront Notification Bar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘wpfront-notification-bar-options[custom_class]’ parameter in all versions up to, and including, 3.3.2 due to insufficient input sanitization and output escaping.

4.8
2024-01-25 CVE-2024-0688 Pubsubhubbub Cross-site Scripting vulnerability in Pubsubhubbub Websub

The "WebSub (FKA.

4.8
2024-01-24 CVE-2021-43584 Nagios Cross-site Scripting vulnerability in Nagios Cross Platform Agent

DOM-based Cross Site Scripting (XSS vulnerability in 'Tail Event Logs' functionality in Nagios Nagios Cross-Platform Agent (NCPA) before 2.4.0 allows attackers to run arbitrary code via the name element when filtering for a log.

4.8
2024-01-24 CVE-2024-22720 Kanboard Cross-site Scripting vulnerability in Kanboard 1.2.34

Kanboard 1.2.34 is vulnerable to Html Injection in the group management feature.

4.8
2024-01-23 CVE-2024-0703 WOW Company Cross-site Scripting vulnerability in Wow-Company Sticky Buttons

The Sticky Buttons – floating buttons builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via sticky URLs in all versions up to, and including, 3.2.2 due to insufficient input sanitization and output escaping.

4.8
2024-01-22 CVE-2023-6290 Seopress Cross-site Scripting vulnerability in Seopress

The SEOPress WordPress plugin before 7.3 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed

4.8
2024-01-22 CVE-2023-6456 Ljapps Cross-site Scripting vulnerability in Ljapps WP Review Slider

The WP Review Slider WordPress plugin before 13.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

4.8
2024-01-22 CVE-2023-6626 Gravitymaster Cross-site Scripting vulnerability in Gravitymaster Product Enquiry for Woocommerce 3.0

The Product Enquiry for WooCommerce WordPress plugin before 3.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

4.8
2024-01-22 CVE-2020-36772 Cloudlinux Externally Controlled Reference to a Resource in Another Sphere vulnerability in Cloudlinux Cagefs

CloudLinux CageFS 7.0.8-2 or below insufficiently restricts file paths supplied to the sendmail proxy command.

4.4
2024-01-26 CVE-2024-0942 Totolink Insufficient Session Expiration vulnerability in Totolink N200Re-V5 Firmware 9.3.5U.6255B20211224

A vulnerability was found in Totolink N200RE V5 9.3.5u.6255_B20211224.

4.3
2024-01-26 CVE-2024-0456 Gitlab Unspecified vulnerability in Gitlab

An authorization vulnerability exists in GitLab versions 14.0 prior to 16.6.6, 16.7 prior to 16.7.4, and 16.8 prior to 16.8.1.

4.3
2024-01-26 CVE-2024-21382 Microsoft Unspecified vulnerability in Microsoft Edge Chromium

Microsoft Edge for Android Information Disclosure Vulnerability

4.3
2024-01-25 CVE-2024-21630 Zulip Missing Authorization vulnerability in Zulip Server

Zulip is an open-source team collaboration tool.

4.3
2024-01-25 CVE-2024-0879 Mintplexlabs Improper Authentication vulnerability in Mintplexlabs Vector Admin

Authentication bypass in vector-admin allows a user to register to a vector-admin server while “domain restriction” is active, even when not owning an authorized email address.

4.3
2024-01-24 CVE-2024-23900 Jenkins Unspecified vulnerability in Jenkins Matrix Project

Jenkins Matrix Project Plugin 822.v01b_8c85d16d2 and earlier does not sanitize user-defined axis names of multi-configuration projects, allowing attackers with Item/Configure permission to create or replace any config.xml files on the Jenkins controller file system with content not controllable by the attackers.

4.3
2024-01-24 CVE-2024-23902 Jenkins Cross-Site Request Forgery (CSRF) vulnerability in Jenkins Github Branch Source

A cross-site request forgery (CSRF) vulnerability in Jenkins GitLab Branch Source Plugin 684.vea_fa_7c1e2fe3 and earlier allows attackers to connect to an attacker-specified URL.

4.3
2024-01-24 CVE-2024-22229 Dell Improper Encoding or Escaping of Output vulnerability in Dell products

Dell Unity, versions prior to 5.4, contain a vulnerability whereby log messages can be spoofed by an authenticated attacker.

4.3
2024-01-24 CVE-2024-0805 Google
Fedoraproject
Inappropriate implementation in Downloads in Google Chrome prior to 121.0.6167.85 allowed a remote attacker to perform domain spoofing via a crafted domain name.
4.3
2024-01-24 CVE-2024-0809 Google
Fedoraproject
Inappropriate implementation in Autofill in Google Chrome prior to 121.0.6167.85 allowed a remote attacker to bypass Autofill restrictions via a crafted HTML page.
4.3
2024-01-24 CVE-2024-0810 Google Unspecified vulnerability in Google Chrome

Insufficient policy enforcement in DevTools in Google Chrome prior to 121.0.6167.85 allowed an attacker who convinced a user to install a malicious extension to leak cross-origin data via a crafted Chrome Extension.

4.3
2024-01-24 CVE-2024-0811 Google
Fedoraproject
Inappropriate implementation in Extensions API in Google Chrome prior to 121.0.6167.85 allowed an attacker who convinced a user to install a malicious extension to leak cross-origin data via a crafted Chrome Extension.
4.3
2024-01-23 CVE-2023-48714 Silverstripe Incorrect Permission Assignment for Critical Resource vulnerability in Silverstripe Framework

Silverstripe Framework is the framework that forms the base of the Silverstripe content management system.

4.3
2024-01-23 CVE-2023-49783 Silverstripe Incorrect Authorization vulnerability in Silverstripe Admin

Silverstripe Admin provides a basic management interface for the Silverstripe Framework.

4.3
2024-01-23 CVE-2024-0742 Mozilla
Debian
It was possible for certain browser prompts and dialogs to be activated or dismissed unintentionally by the user due to an incorrect timestamp used to prevent input after page load.
4.3
2024-01-23 CVE-2024-0748 Mozilla Unspecified vulnerability in Mozilla Firefox

A compromised content process could have updated the document URI.

4.3
2024-01-23 CVE-2024-0749 Mozilla
Debian
Origin Validation Error vulnerability in multiple products

A phishing site could have repurposed an `about:` dialog to show phishing content with an incorrect origin in the address bar.

4.3
2024-01-22 CVE-2023-6384 WP Eventmanager Authorization Bypass Through User-Controlled Key vulnerability in Wp-Eventmanager User Profile Avatar

The WP User Profile Avatar WordPress plugin before 1.0.1 does not properly check for authorisation, allowing authors to delete and update arbitrary avatar

4.3
2024-01-22 CVE-2023-6625 Gravitymaster Cross-Site Request Forgery (CSRF) vulnerability in Gravitymaster Product Enquiry for Woocommerce 3.0

The Product Enquiry for WooCommerce WordPress plugin before 3.1 does not have a CSRF check in place when deleting inquiries, which could allow attackers to make a logged in admin delete them via a CSRF attack

4.3

8 Low Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2024-01-22 CVE-2024-23676 Splunk Unspecified vulnerability in Splunk Cloud and Splunk

In Splunk versions below 9.0.8 and 9.1.3, the “mrollup” SPL command lets a low-privileged user view metrics on an index that they do not have permission to view.

3.5
2024-01-28 CVE-2024-23743 Notion Unspecified vulnerability in Notion 3.1.0

Notion through 3.1.0 on macOS might allow code execution because of RunAsNode and enableNodeClilnspectArguments.

3.3
2024-01-26 CVE-2024-21383 Microsoft Unspecified vulnerability in Microsoft Edge Chromium

Microsoft Edge (Chromium-based) Spoofing Vulnerability

3.3
2024-01-23 CVE-2024-23210 Apple Unspecified vulnerability in Apple products

This issue was addressed with improved redaction of sensitive information.

3.3
2024-01-23 CVE-2024-23211 Apple Unspecified vulnerability in Apple products

A privacy issue was addressed with improved handling of user preferences.

3.3
2024-01-23 CVE-2024-23217 Apple Unspecified vulnerability in Apple products

A privacy issue was addressed with improved handling of temporary files.

3.3
2024-01-25 CVE-2023-50785 Zohocorp Path Traversal vulnerability in Zohocorp Manageengine Adaudit Plus 7.2

Zoho ManageEngine ADAudit Plus before 7270 allows admin users to view names of arbitrary directories via path traversal.

2.7
2024-01-26 CVE-2024-21336 Microsoft Unspecified vulnerability in Microsoft Edge Chromium

Microsoft Edge (Chromium-based) Spoofing Vulnerability

2.5