Search
Total
17685 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-23796 | 1 Web-settler | 1 Form Builder | 2023-11-15 | N/A | 9.8 CRITICAL |
| Improper Neutralization of Formula Elements in a CSV File vulnerability in Muneeb Form Builder | Create Responsive Contact Forms.This issue affects Form Builder | Create Responsive Contact Forms: from n/a through 1.9.9.0. | |||||
| CVE-2023-22719 | 1 Givewp | 1 Givewp | 2023-11-15 | N/A | 9.8 CRITICAL |
| Improper Neutralization of Formula Elements in a CSV File vulnerability in GiveWP.This issue affects GiveWP: from n/a through 2.25.1. | |||||
| CVE-2023-47397 | 1 Webidsupport | 1 Webid | 2023-11-15 | N/A | 9.8 CRITICAL |
| WeBid <=1.2.2 is vulnerable to code injection via admin/categoriestrans.php. | |||||
| CVE-2023-23369 | 1 Qnap | 3 Media Streaming Add-on, Multimedia Console, Qts | 2023-11-15 | N/A | 9.8 CRITICAL |
| An OS command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow users to execute commands via a network. We have already fixed the vulnerability in the following versions: Multimedia Console 2.1.2 ( 2023/05/04 ) and later Multimedia Console 1.4.8 ( 2023/05/05 ) and later QTS 5.1.0.2399 build 20230515 and later QTS 4.3.6.2441 build 20230621 and later QTS 4.3.4.2451 build 20230621 and later QTS 4.3.3.2420 build 20230621 and later QTS 4.2.6 build 20230621 and later Media Streaming add-on 500.1.1.2 ( 2023/06/12 ) and later Media Streaming add-on 500.0.0.11 ( 2023/06/16 ) and later | |||||
| CVE-2023-23368 | 1 Qnap | 3 Qts, Quts Hero, Qutscloud | 2023-11-15 | N/A | 9.8 CRITICAL |
| An OS command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow users to execute commands via a network. We have already fixed the vulnerability in the following versions: QTS 5.0.1.2376 build 20230421 and later QTS 4.5.4.2374 build 20230416 and later QuTS hero h5.0.1.2376 build 20230421 and later QuTS hero h4.5.4.2374 build 20230417 and later QuTScloud c5.0.1.2374 and later | |||||
| CVE-2023-5801 | 1 Huawei | 2 Emui, Harmonyos | 2023-11-15 | N/A | 9.1 CRITICAL |
| Vulnerability of identity verification being bypassed in the face unlock module. Successful exploitation of this vulnerability will affect integrity and confidentiality. | |||||
| CVE-2023-5309 | 1 Puppet | 1 Puppet Enterprise | 2023-11-15 | N/A | 9.8 CRITICAL |
| Versions of Puppet Enterprise prior to 2021.7.6 and 2023.5 contain a flaw which results in broken session management for SAML implementations. | |||||
| CVE-2023-47008 | 1 Asus | 2 Rt-ax57, Rt-ax57 Firmware | 2023-11-15 | N/A | 9.8 CRITICAL |
| An issue in ASUS RT-AX57 v.3.0.0.4_386_52041 allows a remote attacker to execute arbitrary code via a crafted request to the ifname field in the sub_4CCE4 function. | |||||
| CVE-2023-47007 | 1 Asus | 2 Rt-ax57, Rt-ax57 Firmware | 2023-11-15 | N/A | 9.8 CRITICAL |
| An issue in ASUS RT-AX57 v.3.0.0.4_386_52041 allows a remote attacker to execute arbitrary code via a crafted request to the lan_ifname field in the sub_391B8 function. | |||||
| CVE-2023-47006 | 1 Asus | 2 Rt-ax57, Rt-ax57 Firmware | 2023-11-15 | N/A | 9.8 CRITICAL |
| An issue in ASUS RT-AX57 v.3.0.0.4_386_52041 allows a remote attacker to execute arbitrary code via a crafted request to the lan_ipaddr field in the sub_6FC74 function. | |||||
| CVE-2023-47005 | 1 Asus | 2 Rt-ax57, Rt-ax57 Firmware | 2023-11-15 | N/A | 9.8 CRITICAL |
| An issue in ASUS RT-AX57 v.3.0.0.4_386_52041 allows a remote attacker to execute arbitrary code via a crafted request to the lan_ifname field in the sub_ln 2C318 function. | |||||
| CVE-2021-39231 | 1 Apache | 1 Ozone | 2023-11-15 | 6.4 MEDIUM | 9.1 CRITICAL |
| In Apache Ozone versions prior to 1.2.0, Various internal server-to-server RPC endpoints are available for connections, making it possible for an attacker to download raw data from Datanode and Ozone manager and modify Ratis replication configuration. | |||||
| CVE-2022-45370 | 1 Webtoffee | 1 Wordpress Comments Import And Export | 2023-11-15 | N/A | 9.8 CRITICAL |
| Improper Neutralization of Formula Elements in a CSV File vulnerability in WebToffee WordPress Comments Import & Export.This issue affects WordPress Comments Import & Export: from n/a through 2.3.1. | |||||
| CVE-2022-45360 | 1 Coffee2code | 1 Commenter Emails | 2023-11-15 | N/A | 9.8 CRITICAL |
| Improper Neutralization of Formula Elements in a CSV File vulnerability in Scott Reilly Commenter Emails.This issue affects Commenter Emails: from n/a through 2.6.1. | |||||
| CVE-2020-5307 | 1 Phpgurukul | 1 Dairy Farm Shop Management System | 2023-11-14 | 7.5 HIGH | 9.8 CRITICAL |
| PHPGurukul Dairy Farm Shop Management System 1.0 is vulnerable to SQL injection, as demonstrated by the username parameter in index.php, the category and CategoryCode parameters in add-category.php, the CompanyName parameter in add-company.php, and the ProductName and ProductPrice parameters in add-product.php. | |||||
| CVE-2021-26765 | 1 Phpgurukul | 1 Student Record System | 2023-11-14 | 7.5 HIGH | 9.8 CRITICAL |
| SQL injection vulnerability in PHPGurukul Student Record System 4.0 allows remote attackers to execute arbitrary SQL statements, via the sid parameter to edit-sub.php. | |||||
| CVE-2021-42224 | 1 Phpgurukul | 1 Ifsc Code Finder | 2023-11-14 | 7.5 HIGH | 9.8 CRITICAL |
| SQL Injection vulnerability exists in IFSC Code Finder Project 1.0 via the searchifsccode POST parameter in /search.php. | |||||
| CVE-2023-33338 | 1 Phpgurukul | 1 Old Age Home Management System | 2023-11-14 | N/A | 9.8 CRITICAL |
| Old Age Home Management 1.0 is vulnerable to SQL Injection via the username parameter. | |||||
| CVE-2021-26822 | 1 Phpgurukul | 1 Teachers Record Management System | 2023-11-14 | 7.5 HIGH | 9.8 CRITICAL |
| Teachers Record Management System 1.0 is affected by a SQL injection vulnerability in 'searchteacher' POST parameter in search-teacher.php. This vulnerability can be exploited by a remote unauthenticated attacker to leak sensitive information and perform code execution attacks. | |||||
| CVE-2022-35156 | 1 Phpgurukul | 1 Bus Pass Management System | 2023-11-14 | N/A | 9.8 CRITICAL |
| Bus Pass Management System 1.0 was discovered to contain a SQL Injection vulnerability via the searchdata parameter at /buspassms/download-pass.php.. | |||||
| CVE-2022-36198 | 1 Phpgurukul | 1 Bus Pass Management System | 2023-11-14 | N/A | 9.8 CRITICAL |
| Multiple SQL injections detected in Bus Pass Management System 1.0 via buspassms/admin/view-enquiry.php, buspassms/admin/pass-bwdates-reports-details.php, buspassms/admin/changeimage.php, buspassms/admin/search-pass.php, buspassms/admin/edit-category-detail.php, and buspassms/admin/edit-pass-detail.php | |||||
| CVE-2023-42284 | 1 Tyk | 1 Tyk | 2023-11-14 | N/A | 9.8 CRITICAL |
| Blind SQL injection in api_version parameter in Tyk Gateway version 5.0.3 allows attacker to access and dump the database via a crafted SQL query. | |||||
| CVE-2022-2804 | 1 Phpgurukul | 1 Zoo Management System | 2023-11-14 | N/A | 9.8 CRITICAL |
| A vulnerability was found in SourceCodester Zoo Management System. It has been classified as critical. Affected is an unknown function of the file /pages/apply_vacancy.php. The manipulation of the argument filename leads to unrestricted upload. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-206250 is the identifier assigned to this vulnerability. | |||||
| CVE-2022-2803 | 1 Phpgurukul | 1 Zoo Management System | 2023-11-14 | N/A | 9.8 CRITICAL |
| A vulnerability was found in SourceCodester Zoo Management System and classified as critical. This issue affects some unknown processing of the file /pages/animals.php. The manipulation of the argument class_id leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-206249 was assigned to this vulnerability. | |||||
| CVE-2022-27351 | 1 Phpgurukul | 1 Zoo Management System | 2023-11-14 | 7.5 HIGH | 9.8 CRITICAL |
| Zoo Management System v1.0 was discovered to contain an arbitrary file upload vulnerability via /public_html/apply_vacancy. This vulnerability allows attackers to execute arbitrary code via a crafted PHP file. | |||||
| CVE-2022-45810 | 1 Icegram | 1 Icegram Express | 2023-11-14 | N/A | 9.8 CRITICAL |
| Improper Neutralization of Formula Elements in a CSV File vulnerability in Icegram Icegram Express – Email Marketing, Newsletters and Automation for WordPress & WooCommerce.This issue affects Icegram Express – Email Marketing, Newsletters and Automation for WordPress & WooCommerce: from n/a through 5.5.2. | |||||
| CVE-2022-46803 | 1 Noptin | 1 Noptin | 2023-11-14 | N/A | 9.8 CRITICAL |
| Improper Neutralization of Formula Elements in a CSV File vulnerability in Noptin Newsletter Simple Newsletter Plugin – Noptin.This issue affects Simple Newsletter Plugin – Noptin: from n/a through 1.9.5. | |||||
| CVE-2022-46801 | 1 Geminilabs | 1 Site Reviews | 2023-11-14 | N/A | 9.8 CRITICAL |
| Improper Neutralization of Formula Elements in a CSV File vulnerability in Paul Ryley Site Reviews.This issue affects Site Reviews: from n/a through 6.2.0. | |||||
| CVE-2023-47253 | 1 Qualitor | 1 Qalitor | 2023-11-14 | N/A | 9.8 CRITICAL |
| Qualitor through 8.20 allows remote attackers to execute arbitrary code via PHP code in the html/ad/adpesquisasql/request/processVariavel.php gridValoresPopHidden parameter. | |||||
| CVE-2023-38406 | 1 Frrouting | 1 Frrouting | 2023-11-14 | N/A | 9.8 CRITICAL |
| bgpd/bgp_flowspec.c in FRRouting (FRR) before 8.4.3 mishandles an nlri length of zero, aka a "flowspec overflow." | |||||
| CVE-2022-46809 | 1 Wpdeveloper | 1 Reviewx | 2023-11-14 | N/A | 9.8 CRITICAL |
| Improper Neutralization of Formula Elements in a CSV File vulnerability in WPDeveloper ReviewX – Multi-criteria Rating & Reviews for WooCommerce.This issue affects ReviewX – Multi-criteria Rating & Reviews for WooCommerce: from n/a through 1.6.7. | |||||
| CVE-2023-38547 | 1 Veeam | 1 One | 2023-11-14 | N/A | 9.8 CRITICAL |
| A vulnerability in Veeam ONE allows an unauthenticated user to gain information about the SQL server connection Veeam ONE uses to access its configuration database. This may lead to remote code execution on the SQL server hosting the Veeam ONE configuration database. | |||||
| CVE-2023-33479 | 1 Remoteclinic | 1 Remote Clinic | 2023-11-14 | N/A | 9.8 CRITICAL |
| RemoteClinic version 2.0 contains a SQL injection vulnerability in the /staff/edit.php file. | |||||
| CVE-2023-33478 | 1 Remoteclinic | 1 Remote Clinic | 2023-11-14 | N/A | 9.8 CRITICAL |
| RemoteClinic 2.0 has a SQL injection vulnerability in the ID parameter of /medicines/stocks.php. | |||||
| CVE-2023-33481 | 1 Remoteclinic | 1 Remote Clinic | 2023-11-14 | N/A | 9.8 CRITICAL |
| RemoteClinic 2.0 is vulnerable to a time-based blind SQL injection attack in the 'start' GET parameter of patients/index.php. | |||||
| CVE-2023-47456 | 1 Tenda | 2 Ax1806, Ax1806 Firmware | 2023-11-14 | N/A | 9.1 CRITICAL |
| Tenda AX1806 V1.0.0.1 contains a stack overflow vulnerability in function sub_455D4, called by function fromSetWirelessRepeat. | |||||
| CVE-2023-47455 | 1 Tenda | 2 Ax1806, Ax1806 Firmware | 2023-11-14 | N/A | 9.1 CRITICAL |
| Tenda AX1806 V1.0.0.1 contains a heap overflow vulnerability in setSchedWifi function, in which the src and v12 are directly obtained from http request parameter schedStartTime and schedEndTime without checking their size. | |||||
| CVE-2023-42283 | 1 Tyk | 1 Tyk | 2023-11-14 | N/A | 9.8 CRITICAL |
| Blind SQL injection in api_id parameter in Tyk Gateway version 5.0.3 allows attacker to access and dump the database via a crafted SQL query. | |||||
| CVE-2023-46731 | 1 Xwiki | 1 Xwiki | 2023-11-14 | N/A | 9.8 CRITICAL |
| XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. XWiki doesn't properly escape the section URL parameter that is used in the code for displaying administration sections. This allows any user with read access to the document `XWiki.AdminSheet` (by default, everyone including unauthenticated users) to execute code including Groovy code. This impacts the confidentiality, integrity and availability of the whole XWiki instance. This vulnerability has been patched in XWiki 14.10.14, 15.6 RC1 and 15.5.1. Users are advised to upgrade. Users unablr to upgrade may apply the fix in commit `fec8e0e53f9` manually. Alternatively, to protect against attacks from unauthenticated users, view right for guests can be removed from this document (it is only needed for space and wiki admins). | |||||
| CVE-2023-5719 | 1 Redlion | 3 Crimson, Da50a, Da70a | 2023-11-14 | N/A | 9.8 CRITICAL |
| The Crimson 3.2 Windows-based configuration tool allows users with administrative access to define new passwords for users and to download the resulting security configuration to a device. If such a password contains the percent (%) character, invalid values will be included, potentially truncating the string if a NUL is encountered. If the simplified password is not detected by the administrator, the device might be left in a vulnerable state as a result of more-easily compromised credentials. Note that passwords entered via the Crimson system web server do not suffer from this vulnerability. | |||||
| CVE-2023-5777 | 1 Weintek | 1 Easybuilder Pro | 2023-11-14 | N/A | 9.8 CRITICAL |
| Weintek EasyBuilder Pro contains a vulnerability that, even when the private key is immediately deleted after the crash report transmission is finished, the private key is exposed to the public, which could result in obtaining remote control of the crash report server. | |||||
| CVE-2021-28799 | 1 Qnap | 4 Hybrid Backup Sync, Qts, Quts Hero and 1 more | 2023-11-14 | 7.5 HIGH | 9.8 CRITICAL |
| An improper authorization vulnerability has been reported to affect QNAP NAS running HBS 3 (Hybrid Backup Sync. ) If exploited, the vulnerability allows remote attackers to log in to a device. This issue affects: QNAP Systems Inc. HBS 3 versions prior to v16.0.0415 on QTS 4.5.2; versions prior to v3.0.210412 on QTS 4.3.6; versions prior to v3.0.210411 on QTS 4.3.4; versions prior to v3.0.210411 on QTS 4.3.3; versions prior to v16.0.0419 on QuTS hero h4.5.1; versions prior to v16.0.0419 on QuTScloud c4.5.1~c4.5.4. This issue does not affect: QNAP Systems Inc. HBS 2 . QNAP Systems Inc. HBS 1.3 . | |||||
| CVE-2020-2509 | 1 Qnap | 2 Qts, Quts Hero | 2023-11-14 | 7.5 HIGH | 9.8 CRITICAL |
| A command injection vulnerability has been reported to affect QTS and QuTS hero. If exploited, this vulnerability allows attackers to execute arbitrary commands in a compromised application. We have already fixed this vulnerability in the following versions: QTS 4.5.2.1566 Build 20210202 and later QTS 4.5.1.1495 Build 20201123 and later QTS 4.3.6.1620 Build 20210322 and later QTS 4.3.4.1632 Build 20210324 and later QTS 4.3.3.1624 Build 20210416 and later QTS 4.2.6 Build 20210327 and later QuTS hero h4.5.1.1491 build 20201119 and later | |||||
| CVE-2022-4170 | 2 Fedoraproject, Rxvt-unicode Project | 3 Extra Packages For Enterprise Linux, Fedora, Rxvt-unicode | 2023-11-14 | N/A | 9.8 CRITICAL |
| The rxvt-unicode package is vulnerable to a remote code execution, in the Perl background extension, when an attacker can control the data written to the user's terminal and certain options are set. | |||||
| CVE-2023-4699 | 1 Mitsubishielectric | 432 Fx3g-14mr\/ds, Fx3g-14mr\/ds Firmware, Fx3g-14mr\/es and 429 more | 2023-11-14 | N/A | 9.1 CRITICAL |
| Insufficient Verification of Data Authenticity vulnerability in Mitsubishi Electric Corporation MELSEC-F Series main modules and MELSEC iQ-F Series CPU modules allows a remote unauthenticated attacker to reset the memory of the products to factory default state and cause denial-of-service (DoS) condition on the products by sending specific packets. | |||||
| CVE-2023-5601 | 1 Atomicwebstrategy | 1 Woocommerce Ninja Forms Product Add-ons | 2023-11-14 | N/A | 9.8 CRITICAL |
| The WooCommerce Ninja Forms Product Add-ons WordPress plugin before 1.7.1 does not validate the file to be uploaded, allowing any unauthenticated users to upload arbitrary files to the server, leading to RCE. | |||||
| CVE-2023-33045 | 1 Qualcomm | 258 Ar8035, Ar8035 Firmware, Csr8811 and 255 more | 2023-11-14 | N/A | 9.8 CRITICAL |
| Memory corruption in WLAN Firmware while parsing a NAN management frame carrying a S3 attribute. | |||||
| CVE-2023-22388 | 1 Qualcomm | 458 315 5g Iot Modem, 315 5g Iot Modem Firmware, 9205 Lte Modem and 455 more | 2023-11-14 | N/A | 9.8 CRITICAL |
| Memory Corruption in Multi-mode Call Processor while processing bit mask API. | |||||
| CVE-2023-45869 | 1 Ilias | 1 Ilias | 2023-11-14 | N/A | 9.0 CRITICAL |
| ILIAS 7.25 (2023-09-12) allows any authenticated user to execute arbitrary operating system commands remotely, when a highly privileged account accesses an XSS payload. The injected commands are executed via the exec() function in the execQuoted() method of the ilUtil class (/Services/Utilities/classes/class.ilUtil.php) This allows attackers to inject malicious commands into the system, potentially compromising the integrity, confidentiality, and availability of the ILIAS installation and the underlying operating system. | |||||
| CVE-2023-45827 | 1 Clickbar | 1 Dot-diver | 2023-11-14 | N/A | 9.8 CRITICAL |
| Dot diver is a lightweight, powerful, and dependency-free TypeScript utility library that provides types and functions to work with object paths in dot notation. In versions prior to 1.0.2 there is a Prototype Pollution vulnerability in the `setByPath` function which can leads to remote code execution (RCE). This issue has been addressed in commit `98daf567` which has been included in release 1.0.2. Users are advised to upgrade. There are no known workarounds to this vulnerability. | |||||