Search
Total
17685 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-41649 | 2 Debian, Openimageio | 2 Debian Linux, Openimageio | 2023-08-07 | N/A | 9.1 CRITICAL |
| A heap out of bounds read vulnerability exists in the handling of IPTC data while parsing TIFF images in OpenImageIO v2.3.19.0. A specially-crafted TIFF file can cause a read of adjacent heap memory, which can leak sensitive process information. An attacker can provide a malicious file to trigger this vulnerability. | |||||
| CVE-2020-22336 | 1 Pdfcrack Project | 1 Pdfcrack | 2023-08-06 | N/A | 9.8 CRITICAL |
| An issue was discovered in pdfcrack 0.17 thru 0.18, allows attackers to execute arbitrary code via a stack overflow in the MD5 function. | |||||
| CVE-2022-4557 | 1 Gruparge | 1 Smartpower | 2023-08-05 | N/A | 9.8 CRITICAL |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Group Arge Energy and Control Systems Smartpower Web allows SQL Injection.This issue affects Smartpower Web: before 23.01.01. | |||||
| CVE-2023-28094 | 1 Pega | 1 Pega Platform | 2023-08-05 | N/A | 9.8 CRITICAL |
| Pega platform clients who are using versions 7.4 through 8.8.x and have upgraded from a version prior to 8.x may be utilizing default credentials. | |||||
| CVE-2023-36132 | 1 Phpjabbers | 1 Availability Booking Calendar | 2023-08-05 | N/A | 9.8 CRITICAL |
| PHP Jabbers Availability Booking Calendar 5.0 is vulnerable to Incorrect Access Control. | |||||
| CVE-2023-36133 | 1 Phpjabbers | 1 Availability Booking Calendar | 2023-08-05 | N/A | 9.8 CRITICAL |
| PHPJabbers Availability Booking Calendar 5.0 is vulnerable to User Account Takeover through username/password change. | |||||
| CVE-2023-36139 | 1 Phpjabbers | 1 Cleaning Business Software | 2023-08-05 | N/A | 9.8 CRITICAL |
| In PHPJabbers Cleaning Business Software 1.0, lack of verification when changing an email address and/or password (on the Profile Page) allows remote attackers to take over accounts. | |||||
| CVE-2023-36131 | 1 Phpjabbers | 1 Availability Booking Calendar | 2023-08-05 | N/A | 9.8 CRITICAL |
| PHPJabbers Availability Booking Calendar 5.0 is vulnerable to Incorrect Access Control due to improper input validation of password parameter. | |||||
| CVE-2023-33371 | 1 Assaabloy | 1 Control Id Idsecure | 2023-08-05 | N/A | 9.8 CRITICAL |
| Control ID IDSecure 4.7.26.0 and prior uses a hardcoded cryptographic key in order to sign and verify JWT session tokens, allowing attackers to sign arbitrary session tokens and bypass authentication. | |||||
| CVE-2023-35086 | 1 Asus | 4 Rt-ac86u, Rt-ac86u Firmware, Rt-ax56u V2 and 1 more | 2023-08-04 | N/A | 9.8 CRITICAL |
| It is identified a format string vulnerability in ASUS RT-AX56U V2 & RT-AC86U. This vulnerability is caused by directly using input as a format string when calling syslog in logmessage_normal function, in the do_detwan_cgi module of httpd. An unauthenticated remote attacker without privilege can exploit this vulnerability to perform remote arbitrary code execution, arbitrary system operation or disrupt service. This issue affects RT-AX56U V2: 3.0.0.4.386_50460; RT-AC86U: 3.0.0.4_386_51529. | |||||
| CVE-2023-37292 | 1 Hgiga | 1 Isherlock | 2023-08-04 | N/A | 9.8 CRITICAL |
| Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in HGiga iSherlock 4.5 (iSherlock-user modules), HGiga iSherlock 5.5 (iSherlock-user modules) allows OS Command Injection.This issue affects iSherlock 4.5: before iSherlock-user-4.5-174; iSherlock 5.5: before iSherlock-user-5.5-174. | |||||
| CVE-2023-34635 | 1 Wifi-soft | 1 Unibox Administration | 2023-08-04 | N/A | 9.8 CRITICAL |
| Wifi Soft Unibox Administration 3.0 and 3.1 is vulnerable to SQL Injection. The vulnerability occurs because of not validating or sanitizing the user input in the username field of the login page. | |||||
| CVE-2023-34842 | 1 Dedecms | 1 Dedecms | 2023-08-04 | N/A | 9.8 CRITICAL |
| Remote Code Execution vulnerability in DedeCMS through 5.7.109 allows remote attackers to run arbitrary code via crafted POST request to /dede/tpl.php. | |||||
| CVE-2023-3519 | 1 Citrix | 2 Netscaler Application Delivery Controller, Netscaler Gateway | 2023-08-04 | N/A | 9.8 CRITICAL |
| Unauthenticated remote code execution | |||||
| CVE-2023-33561 | 1 Phpjabbers | 1 Time Slots Booking Calendar | 2023-08-04 | N/A | 9.8 CRITICAL |
| Improper input validation of password parameter in PHP Jabbers Time Slots Booking Calendar v 3.3 results in insecure passwords. | |||||
| CVE-2023-33562 | 1 Phpjabbers | 1 Time Slots Booking Calendar | 2023-08-04 | N/A | 9.8 CRITICAL |
| User enumeration is found in in PHP Jabbers Time Slots Booking Calendar v3.3. This issue occurs during password recovery, where a difference in messages could allow an attacker to determine if the user is valid or not, enabling a brute force attack with valid users. | |||||
| CVE-2023-33493 | 1 Ajaxmanager Project | 1 Ajaxmanager | 2023-08-04 | N/A | 9.8 CRITICAL |
| An Unrestricted Upload of File with Dangerous Type vulnerability in the Ajaxmanager File and Database explorer (ajaxmanager) module for PrestaShop through 2.3.0, allows remote attackers to upload dangerous files without restrictions. | |||||
| CVE-2023-37478 | 1 Pnpm | 1 Pnpm | 2023-08-04 | N/A | 9.8 CRITICAL |
| pnpm is a package manager. It is possible to construct a tarball that, when installed via npm or parsed by the registry is safe, but when installed via pnpm is malicious, due to how pnpm parses tar archives. This can result in a package that appears safe on the npm registry or when installed via npm being replaced with a compromised or malicious version when installed via pnpm. This issue has been patched in version(s) 7.33.4 and 8.6.8. | |||||
| CVE-2023-36210 | 1 Motocms | 1 Motocms | 2023-08-04 | N/A | 9.8 CRITICAL |
| MotoCMS Version 3.4.3 Store Category Template was discovered to contain a Server-Side Template Injection (SSTI) vulnerability via the keyword parameter. | |||||
| CVE-2023-31710 | 1 Tp-link | 2 Archer Ax21, Archer Ax21 Firmware | 2023-08-04 | N/A | 9.8 CRITICAL |
| TP-Link Archer AX21(US)_V3_1.1.4 Build 20230219 and AX21(US)_V3.6_1.1.4 Build 20230219 are vulnerable to Buffer Overflow. | |||||
| CVE-2023-37771 | 1 Phpgurukul | 1 Art Gallery Management System | 2023-08-04 | N/A | 9.8 CRITICAL |
| Art Gallery Management System v1.0 contains a SQL injection vulnerability via the cid parameter at /agms/product.php. | |||||
| CVE-2022-42183 | 1 Precisely | 1 Spectrum Spatial Analyst | 2023-08-04 | N/A | 9.1 CRITICAL |
| Precisely Spectrum Spatial Analyst 20.01 is vulnerable to Server-Side Request Forgery (SSRF). | |||||
| CVE-2023-39122 | 1 Bmc | 1 Control-m | 2023-08-04 | N/A | 9.8 CRITICAL |
| BMC Control-M through 9.0.20.200 allows SQL injection via the /RF-Server/report/deleteReport report-id parameter. This is fixed in 9.0.21 (and is also fixed by a patch for 9.0.20.200). | |||||
| CVE-2023-37214 | 1 Heights-t | 2 Ero1xs-pro, Ero1xs-pro Firmware | 2023-08-04 | N/A | 9.8 CRITICAL |
| Heights Telecom ERO1xS-Pro Dual-Band FW version BZ_ERO1XP.025. | |||||
| CVE-2023-37215 | 1 Jbl | 2 Jbl Bar 5.1 Surround, Jbl Bar 5.1 Surround Firmware | 2023-08-04 | N/A | 9.8 CRITICAL |
| JBL soundbar multibeam 5.1 - CWE-798: Use of Hard-coded Credentials | |||||
| CVE-2023-37647 | 1 Sem-cms | 1 Semcms | 2023-08-04 | N/A | 9.8 CRITICAL |
| SEMCMS v1.5 was discovered to contain a SQL injection vulnerability via the id parameter at /Ant_Suxin.php. | |||||
| CVE-2023-36090 | 1 Dlink | 2 Dir-885l, Dir-885l Firmware | 2023-08-04 | N/A | 9.8 CRITICAL |
| ** UNSUPPORTED WHEN ASSIGNED ** Authentication Bypass vulnerability in D-Link DIR-885L FW102b01 allows remote attackers to gain escalated privileges via phpcgi. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. | |||||
| CVE-2023-36089 | 1 Dlink | 2 Dir-645, Dir-645 Firmware | 2023-08-04 | N/A | 9.8 CRITICAL |
| ** UNSUPPORTED WHEN ASSIGNED ** Authentication Bypass vulnerability in D-Link DIR-645 firmware version 1.03 allows remote attackers to gain escalated privileges via function phpcgi_main in cgibin. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. | |||||
| CVE-2023-36092 | 1 Dlink | 2 Dir-859, Dir-859 Firmware | 2023-08-04 | N/A | 9.8 CRITICAL |
| ** UNSUPPORTED WHEN ASSIGNED ** Authentication Bypass vulnerability in D-Link DIR-859 FW105b03 allows remote attackers to gain escalated privileges via via phpcgi_main. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. | |||||
| CVE-2023-36091 | 1 Dlink | 2 Dir-895l, Dir-895l Firmware | 2023-08-04 | N/A | 9.8 CRITICAL |
| ** UNSUPPORTED WHEN ASSIGNED ** Authentication Bypass vulnerability in D-Link DIR-895 FW102b07 allows remote attackers to gain escalated privileges via via function phpcgi_main in cgibin. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. | |||||
| CVE-2023-37213 | 1 Synel | 2 Synergy\/a, Synergy\/a Firmware | 2023-08-03 | N/A | 9.8 CRITICAL |
| Synel SYnergy Fingerprint Terminals - CWE-78: 'OS Command Injection' | |||||
| CVE-2023-32227 | 1 Synel | 2 Synergy\/a, Synergy\/a Firmware | 2023-08-03 | N/A | 9.8 CRITICAL |
| Synel SYnergy Fingerprint Terminals - CWE-798: Use of Hard-coded Credentials | |||||
| CVE-2023-4005 | 1 Fossbilling | 1 Fossbilling | 2023-08-03 | N/A | 9.8 CRITICAL |
| Insufficient Session Expiration in GitHub repository fossbilling/fossbilling prior to 0.5.5. | |||||
| CVE-2023-4006 | 1 Phpmyfaq | 1 Phpmyfaq | 2023-08-03 | N/A | 9.8 CRITICAL |
| Improper Neutralization of Formula Elements in a CSV File in GitHub repository thorsten/phpmyfaq prior to 3.1.16. | |||||
| CVE-2020-21662 | 1 Yunyecms | 1 Yunyecms | 2023-08-03 | N/A | 9.8 CRITICAL |
| SQL injection vulnerability in yunyecms 2.0.2 allows remote attackers to run arbitrary SQL commands via XFF. | |||||
| CVE-2023-37754 | 1 Powerjob | 1 Powerjob | 2023-08-03 | N/A | 9.8 CRITICAL |
| PowerJob v4.3.3 was discovered to contain a remote command execution (RCE) vulnerability via the instanceId parameter at /instance/detail. | |||||
| CVE-2023-39013 | 1 Larsga | 1 Duke | 2023-08-03 | N/A | 9.8 CRITICAL |
| Duke v1.2 and below was discovered to contain a code injection vulnerability via the component no.priv.garshol.duke.server.CommonJTimer.init. | |||||
| CVE-2023-39010 | 1 Lessthanoptimal | 1 Boofcv | 2023-08-03 | N/A | 9.8 CRITICAL |
| BoofCV 0.42 was discovered to contain a code injection vulnerability via the component boofcv.io.calibration.CalibrationIO.load. This vulnerability is exploited by loading a crafted camera calibration file. | |||||
| CVE-2023-38992 | 1 Jeecg | 1 Jeecg Boot | 2023-08-03 | N/A | 9.8 CRITICAL |
| jeecg-boot v3.5.1 was discovered to contain a SQL injection vulnerability via the title parameter at /sys/dict/loadTreeData. | |||||
| CVE-2023-39015 | 1 Code4craft | 1 Webmagic | 2023-08-03 | N/A | 9.8 CRITICAL |
| webmagic-extension v0.9.0 and below was discovered to contain a code injection vulnerability via the component us.codecraft.webmagic.downloader.PhantomJSDownloader. | |||||
| CVE-2023-39016 | 1 Bbossgroups | 1 Bboss-persistent | 2023-08-03 | N/A | 9.8 CRITICAL |
| bboss-persistent v6.0.9 and below was discovered to contain a code injection vulnerability in the component com.frameworkset.common.poolman.util.SQLManager.createPool. This vulnerability is exploited via passing an unchecked argument. | |||||
| CVE-2023-39017 | 1 Softwareag | 1 Quartz | 2023-08-03 | N/A | 9.8 CRITICAL |
| quartz-jobs 2.3.2 and below was discovered to contain a code injection vulnerability in the component org.quartz.jobs.ee.jms.SendQueueMessageJob.execute. This vulnerability is exploited via passing an unchecked argument. | |||||
| CVE-2023-39018 | 1 Ffmpeg | 1 Ffmpeg | 2023-08-03 | N/A | 9.8 CRITICAL |
| FFmpeg 0.7.0 and below was discovered to contain a code injection vulnerability in the component net.bramp.ffmpeg.FFmpeg.<constructor>. This vulnerability is exploited via passing an unchecked argument. | |||||
| CVE-2023-39020 | 1 Stanford | 1 Stanford Parser | 2023-08-03 | N/A | 9.8 CRITICAL |
| stanford-parser v3.9.2 and below was discovered to contain a code injection vulnerability in the component edu.stanford.nlp.io.getBZip2PipedInputStream. This vulnerability is exploited via passing an unchecked argument. | |||||
| CVE-2023-39021 | 1 Wix | 1 Wix Embedded Mysql | 2023-08-03 | N/A | 9.8 CRITICAL |
| wix-embedded-mysql v4.6.1 and below was discovered to contain a code injection vulnerability in the component com.wix.mysql.distribution.Setup.apply. This vulnerability is exploited via passing an unchecked argument. | |||||
| CVE-2023-39022 | 1 Oscore | 1 Oscore | 2023-08-03 | N/A | 9.8 CRITICAL |
| oscore v2.2.6 and below was discovered to contain a code injection vulnerability in the component com.opensymphony.util.EJBUtils.createStateless. This vulnerability is exploited via passing an unchecked argument. | |||||
| CVE-2023-39023 | 1 University Compass Project | 1 University Compass | 2023-08-03 | N/A | 9.8 CRITICAL |
| university compass v2.2.0 and below was discovered to contain a code injection vulnerability in the component org.compass.core.executor.DefaultExecutorManager.configure. This vulnerability is exploited via passing an unchecked argument. | |||||
| CVE-2023-3987 | 1 Simple Online Mens Salon Management System Project | 1 Simple Online Mens Salon Management System | 2023-08-03 | N/A | N/A |
| A vulnerability was found in SourceCodester Simple Online Mens Salon Management System 1.0. It has been classified as critical. Affected is an unknown function of the file /admin/?page=user/manage_user&id=3. The manipulation of the argument id leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-235608. | |||||
| CVE-2023-3988 | 1 Cafe Billing System Project | 1 Cafe Billing System | 2023-08-03 | N/A | 9.8 CRITICAL |
| A vulnerability was found in Cafe Billing System 1.0. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file index.php of the component Order Handler. The manipulation of the argument id leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-235609 was assigned to this vulnerability. | |||||
| CVE-2023-3956 | 1 Instawp | 1 Instawp Connect | 2023-08-02 | N/A | 9.8 CRITICAL |
| The InstaWP Connect plugin for WordPress is vulnerable to unauthorized access of data, modification of data and loss of data due to a missing capability check on the 'events_receiver' function in versions up to, and including, 0.0.9.18. This makes it possible for unauthenticated attackers to add, modify or delete post and taxonomy, install, activate or deactivate plugin, change customizer settings, add or modify or delete user including administrator user. | |||||