Search
Total
46623 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-26316 | 1 Mi | 1 Xiaomi Cloud | 2023-08-07 | N/A | 6.1 MEDIUM |
| A XSS vulnerability exists in the Xiaomi cloud service Application product. The vulnerability is caused by Webview's whitelist checking function allowing javascript protocol to be loaded and can be exploited by attackers to steal Xiaomi cloud service account's cookies. | |||||
| CVE-2023-2850 | 1 Nodebb | 1 Nodebb | 2023-08-07 | N/A | 4.7 MEDIUM |
| NodeBB is affected by a Cross-Site WebSocket Hijacking vulnerability due to missing validation of the request origin. Exploitation of this vulnerability allows certain user information to be extracted by attacker. | |||||
| CVE-2021-45094 | 1 Okta | 1 Imprivata Privileged Access Management | 2023-08-07 | N/A | 5.4 MEDIUM |
| Imprivata Privileged Access Management (formally Xton Privileged Access Management) 2.3.202112051108 allows XSS. | |||||
| CVE-2023-23476 | 1 Ibm | 2 Robotic Process Automation, Robotic Process Automation For Cloud Pak | 2023-08-07 | N/A | 6.5 MEDIUM |
| IBM Robotic Process Automation 21.0.0 through 21.0.7.latest is vulnerable to unauthorized access to data due to insufficient authorization validation on some API routes. IBM X-Force ID: 245425. | |||||
| CVE-2023-31927 | 1 Broadcom | 1 Brocade Fabric Operating System | 2023-08-07 | N/A | 5.3 MEDIUM |
| An information disclosure in the web interface of Brocade Fabric OS versions before Brocade Fabric OS v9.2.0 and v9.1.1c, could allow a remote unauthenticated attacker to get technical details about the web interface. | |||||
| CVE-2023-31928 | 1 Broadcom | 1 Brocade Fabric Operating System | 2023-08-07 | N/A | 6.1 MEDIUM |
| A reflected cross-site scripting (XSS) vulnerability exists in Brocade Webtools PortSetting.html of Brocade Fabric OS version before Brocade Fabric OS v9.2.0 that could allow a remote unauthenticated attacker to execute arbitrary JavaScript code in a target user’s session with the Brocade Webtools application. | |||||
| CVE-2023-4054 | 2 Microsoft, Mozilla | 3 Windows, Firefox, Firefox Esr | 2023-08-07 | N/A | 5.5 MEDIUM |
| When opening appref-ms files, Firefox did not warn the user that these files may contain malicious code. *This bug only affects Firefox on Windows. Other operating systems are unaffected.* This vulnerability affects Firefox < 116, Firefox ESR < 102.14, Firefox ESR < 115.1, Thunderbird < 102.14, and Thunderbird < 115.1. | |||||
| CVE-2023-4052 | 1 Mozilla | 2 Firefox, Firefox Esr | 2023-08-07 | N/A | 6.5 MEDIUM |
| The Firefox updater created a directory writable by non-privileged users. When uninstalling Firefox, any files in that directory would be recursively deleted with the permissions of the uninstalling user account. This could be combined with creation of a junction (a form of symbolic link) to allow arbitrary file deletion controlled by the non-privileged user. *This bug only affects Firefox on Windows. Other operating systems are unaffected.* This vulnerability affects Firefox < 116, Firefox ESR < 115.1, and Thunderbird < 115.1. | |||||
| CVE-2023-36141 | 1 Phpjabbers | 1 Cleaning Business Software | 2023-08-07 | N/A | 5.3 MEDIUM |
| User enumeration is found in in PHPJabbers Cleaning Business Software 1.0. This issue occurs during password recovery, where a difference in messages could allow an attacker to determine if the user is valid or not, enabling a brute force attack with valid users. | |||||
| CVE-2018-18307 | 1 Alchemy-cms | 1 Alchemy Cms | 2023-08-07 | 4.3 MEDIUM | 6.1 MEDIUM |
| ** DISPUTED ** A Stored XSS vulnerability has been discovered in version 4.1.0 of AlchemyCMS via the /admin/pictures image field. NOTE: the vendor's position is that this is not a valid report: "The researcher used an authorized cookie to perform the request to a password-protected route. Without that session cookie, the request would have been rejected as unauthorized." | |||||
| CVE-2023-39097 | 1 Webboss | 1 Webboss.io Cms | 2023-08-07 | N/A | 5.4 MEDIUM |
| WebBoss.io CMS v3.7.0.1 contains a stored cross-site scripting (XSS) vulnerability. | |||||
| CVE-2023-39096 | 1 Webboss | 1 Webboss.io Cms | 2023-08-07 | N/A | 5.4 MEDIUM |
| WebBoss.io CMS v3.7.0.1 contains a stored Cross-Site Scripting (XSS) vulnerability due to lack of input validation and output encoding. | |||||
| CVE-2022-41684 | 1 Openimageio | 1 Openimageio | 2023-08-07 | N/A | 5.5 MEDIUM |
| A heap out of bounds read vulnerability exists in the OpenImageIO master-branch-9aeece7a when parsing the image file directory part of a PSD image file. A specially-crafted .psd file can cause a read of arbitrary memory address which can lead to denial of service. An attacker can provide a malicious file to trigger this vulnerability. | |||||
| CVE-2023-33460 | 3 Debian, Fedoraproject, Yajl Project | 3 Debian Linux, Fedora, Yajl | 2023-08-05 | N/A | 6.5 MEDIUM |
| There's a memory leak in yajl 2.1.0 with use of yajl_tree_parse function. which will cause out-of-memory in server and cause crash. | |||||
| CVE-2023-36138 | 1 Phpjabbers | 1 Cleaning Business Software | 2023-08-05 | N/A | 6.1 MEDIUM |
| PHPJabbers Cleaning Business Software 1.0 is vulnerable to Cross Site Scripting (XSS) via the theme parameter of preview.php. | |||||
| CVE-2023-36121 | 1 E107 | 1 E107 | 2023-08-05 | N/A | 5.4 MEDIUM |
| Cross Site Scripting vulnerability in e107 v.2.3.2 allows a remote attacker to execute arbitrary code via the description function in the SEO project. | |||||
| CVE-2023-38990 | 1 Jeesite | 1 Jeesite | 2023-08-05 | N/A | 4.3 MEDIUM |
| An issue in the delete function in the MenuController class of jeesite v1.2.6 allows authenticated attackers to arbitrarily delete menus created by the Administrator. | |||||
| CVE-2023-4117 | 1 Phpjabbers | 1 Rental Property Booking Calendar | 2023-08-05 | N/A | 6.1 MEDIUM |
| A vulnerability, which was classified as problematic, has been found in PHP Jabbers Rental Property Booking 2.0. Affected by this issue is some unknown functionality of the file /index.php. The manipulation of the argument index leads to cross site scripting. The attack may be launched remotely. The identifier of this vulnerability is VDB-235964. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2023-4116 | 1 Phpjabbers | 1 Taxi Booking Script | 2023-08-05 | N/A | 6.1 MEDIUM |
| A vulnerability classified as problematic was found in PHP Jabbers Taxi Booking 2.0. Affected by this vulnerability is an unknown functionality of the file /index.php. The manipulation of the argument index leads to cross site scripting. The attack can be launched remotely. The associated identifier of this vulnerability is VDB-235963. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2023-4115 | 1 Phpjabbers | 1 Cleaning Business Software | 2023-08-05 | N/A | 6.1 MEDIUM |
| A vulnerability classified as problematic has been found in PHP Jabbers Cleaning Business 1.0. Affected is an unknown function of the file /index.php. The manipulation of the argument index leads to cross site scripting. It is possible to launch the attack remotely. VDB-235962 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2023-4114 | 1 Phpjabbers | 1 Night Club Booking Software | 2023-08-05 | N/A | 6.1 MEDIUM |
| A vulnerability was found in PHP Jabbers Night Club Booking Software 1.0. It has been rated as problematic. This issue affects some unknown processing of the file /index.php. The manipulation of the argument index leads to cross site scripting. The attack may be initiated remotely. The identifier VDB-235961 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2023-4113 | 1 Phpjabbers | 1 Service Booking Script | 2023-08-05 | N/A | 6.1 MEDIUM |
| A vulnerability was found in PHP Jabbers Service Booking Script 1.0. It has been declared as problematic. This vulnerability affects unknown code of the file /index.php. The manipulation of the argument index leads to cross site scripting. The attack can be initiated remotely. The identifier of this vulnerability is VDB-235960. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2023-4112 | 1 Phpjabbers | 1 Shuttle Booking Software | 2023-08-05 | N/A | 6.1 MEDIUM |
| A vulnerability was found in PHP Jabbers Shuttle Booking Software 1.0. It has been classified as problematic. This affects an unknown part of the file /index.php. The manipulation leads to cross site scripting. It is possible to initiate the attack remotely. The associated identifier of this vulnerability is VDB-235959. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2020-20808 | 1 Qibosoft | 1 Qibosoft | 2023-08-05 | N/A | 6.1 MEDIUM |
| Cross Site Scripting vulnerability in Qibosoft qibosoft v.7 and before allows a remote attacker to execute arbitrary code via the eindtijd and starttijd parameters of do/search.php. | |||||
| CVE-2023-3426 | 1 Liferay | 2 Digital Experience Platform, Liferay Portal | 2023-08-05 | N/A | 4.3 MEDIUM |
| The organization selector in Liferay Portal 7.4.3.81 through 7.4.3.85, and Liferay DXP 7.4 update 81 through 85 does not check user permission, which allows remote authenticated users to obtain a list of all organizations. | |||||
| CVE-2023-2022 | 1 Gitlab | 1 Gitlab | 2023-08-05 | N/A | 4.3 MEDIUM |
| An issue has been discovered in GitLab CE/EE affecting all versions starting before 16.0.8, all versions starting from 16.1 before 16.1.3, all versions starting from 16.2 before 16.2.2, which leads to developers being able to create pipeline schedules on protected branches even if they don't have access to merge | |||||
| CVE-2023-33257 | 1 Verint | 1 Engagement Management | 2023-08-04 | N/A | 5.4 MEDIUM |
| Verint Engagement Management 15.3 Update 2023R2 is vulnerable to HTML injection via the user data form in the live chat. | |||||
| CVE-2023-33368 | 1 Assaabloy | 1 Control Id Idsecure | 2023-08-04 | N/A | 6.5 MEDIUM |
| Some API routes exists in Control ID IDSecure 4.7.26.0 and prior, exfiltrating sensitive information and passwords to users accessing these API routes. | |||||
| CVE-2023-3401 | 1 Gitlab | 1 Gitlab | 2023-08-04 | N/A | 6.5 MEDIUM |
| An issue has been discovered in GitLab affecting all versions before 16.0.8, all versions starting from 16.1 before 16.1.3, all versions starting from 16.2 before 16.2.2. The main branch of a repository with a specially designed name allows an attacker to create repositories with malicious code. | |||||
| CVE-2023-4067 | 1 Mage-people | 1 Bus Ticket Booking With Seat Reservation | 2023-08-04 | N/A | 6.1 MEDIUM |
| The Bus Ticket Booking with Seat Reservation plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'tab_date' and 'tab_date_r' parameters in versions up to, and including, 5.2.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | |||||
| CVE-2023-37919 | 1 Cal | 1 Cal.com | 2023-08-04 | N/A | 5.4 MEDIUM |
| Cal.com is open-source scheduling software. A vulnerability allows active sessions associated with an account to remain active even after enabling 2FA. When activating 2FA on a Cal.com account that is logged in on two or more devices, the account stays logged in on the other device(s) stays logged in without having to verify the account owner's identity. As of time of publication, no known patches or workarounds exist. | |||||
| CVE-2023-37217 | 1 Tadirantele | 1 Aeonix | 2023-08-04 | N/A | 5.3 MEDIUM |
| Tadiran Telecom Aeonix - CWE-204: Observable Response Discrepancy | |||||
| CVE-2022-2416 | 1 Octopus | 1 Octopus Server | 2023-08-04 | N/A | 4.3 MEDIUM |
| In affected versions of Octopus Deploy it is possible for a low privileged guest user to craft a request that allows enumeration/recon of an environment. | |||||
| CVE-2022-43712 | 1 Gxsoftware | 1 Xperiencentral | 2023-08-04 | N/A | 6.5 MEDIUM |
| POST requests to /web/mvc in GX Software XperienCentral version 10.36.0 and earlier were not blocked for uses that are not logged in. If an unauthorized user is able to bypass other security filters they are able to post unauthorized data to the server because of CVE-2022-22965. | |||||
| CVE-2023-3385 | 1 Gitlab | 1 Gitlab | 2023-08-04 | N/A | 6.5 MEDIUM |
| An issue has been discovered in GitLab affecting all versions starting from 8.10 before 16.0.8, all versions starting from 16.1 before 16.1.3, all versions starting from 16.2 before 16.2.2. Under specific circumstances, a user importing a project 'from export' could access and read unrelated files via uploading a specially crafted file. This was due to a bug in `tar`, fixed in [`tar-1.35`](https://lists.gnu.org/archive/html/info-gnu/2023-07/msg00005.html). | |||||
| CVE-2023-3500 | 1 Gitlab | 1 Gitlab | 2023-08-04 | N/A | 6.1 MEDIUM |
| An issue has been discovered in GitLab CE/EE affecting all versions starting from 10.0 before 16.0.8, all versions starting from 16.1 before 16.1.3, all versions starting from 16.2 before 16.2.2. A reflected XSS was possible when creating specific PlantUML diagrams that allowed the attacker to perform arbitrary actions on behalf of victims. | |||||
| CVE-2023-2164 | 1 Gitlab | 1 Gitlab | 2023-08-04 | N/A | 5.4 MEDIUM |
| An issue has been discovered in GitLab affecting all versions starting from 15.9 before 16.0.8, all versions starting from 16.1 before 16.1.3, all versions starting from 16.2 before 16.2.2. It was possible for an attacker to trigger a stored XSS vulnerability via user interaction with a crafted URL in the WebIDE beta. | |||||
| CVE-2023-1210 | 1 Gitlab | 1 Gitlab | 2023-08-04 | N/A | 4.3 MEDIUM |
| An issue has been discovered in GitLab affecting all versions starting from 12.9 before 16.0.8, all versions starting from 16.1 before 16.1.3, all versions starting from 16.2 before 16.2.2. It was possible to leak a user's email via an error message for groups that restrict membership by email domain. | |||||
| CVE-2023-4053 | 1 Mozilla | 1 Firefox | 2023-08-04 | N/A | 6.5 MEDIUM |
| A website could have obscured the full screen notification by using a URL with a scheme handled by an external program, such as a mailto URL. This could have led to user confusion and possible spoofing attacks. This vulnerability affects Firefox < 116. | |||||
| CVE-2023-38057 | 1 Otrs | 1 Survey | 2023-08-04 | N/A | 5.4 MEDIUM |
| An improper input validation vulnerability in OTRS Survey modules allows any attacker with a link to a valid and unanswered survey request to inject javascript code in free text answers. This allows a cross site scripting attack while reading the replies as authenticated agent. This issue affects OTRS Survey module from 7.0.X before 7.0.32, from 8.0.X before 8.0.13 and ((OTRS)) Community Edition Survey module from 6.0.X through 6.0.22. | |||||
| CVE-2023-38357 | 1 Rws | 1 Worldserver | 2023-08-04 | N/A | 5.3 MEDIUM |
| Session tokens in RWS WorldServer 11.7.3 and earlier have a low entropy and can be enumerated, leading to unauthorized access to user sessions. | |||||
| CVE-2020-21881 | 1 Duxcms Project | 1 Duxcms | 2023-08-04 | N/A | 6.5 MEDIUM |
| Cross Site Request Forgery (CSRF) vulnerability in admin.php in DuxCMS 2.1 allows remote attackers to modtify application data via article/admin/content/add. | |||||
| CVE-2023-37979 | 1 Ninjaforms | 1 Ninja Forms | 2023-08-04 | N/A | 6.1 MEDIUM |
| Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Saturday Drive Ninja Forms Contact Form plugin <= 3.6.25 versions. | |||||
| CVE-2023-3219 | 1 Myeventon | 1 Eventon | 2023-08-04 | N/A | 5.3 MEDIUM |
| The EventON WordPress plugin before 2.1.2 does not validate that the event_id parameter in its eventon_ics_download ajax action is a valid Event, allowing unauthenticated visitors to access any Post (including unpublished or protected posts) content via the ics export functionality by providing the numeric id of the post. | |||||
| CVE-2023-2796 | 1 Myeventon | 1 Eventon | 2023-08-04 | N/A | 5.3 MEDIUM |
| The EventON WordPress plugin before 2.1.2 lacks authentication and authorization in its eventon_ics_download ajax action, allowing unauthenticated visitors to access private and password protected Events by guessing their numeric id. | |||||
| CVE-2019-19527 | 3 Debian, Linux, Opensuse | 3 Debian Linux, Linux Kernel, Leap | 2023-08-04 | 7.2 HIGH | 6.8 MEDIUM |
| In the Linux kernel before 5.2.10, there is a use-after-free bug that can be caused by a malicious USB device in the drivers/hid/usbhid/hiddev.c driver, aka CID-9c09b214f30e. | |||||
| CVE-2023-20583 | 1 Amd | 1 * | 2023-08-04 | N/A | 4.7 MEDIUM |
| A potential power side-channel vulnerability in AMD processors may allow an authenticated attacker to monitor the CPU power consumption as the data in a cache line changes over time potentially resulting in a leak of sensitive information. | |||||
| CVE-2023-38560 | 1 Artifex | 1 Ghostscript | 2023-08-04 | N/A | 5.5 MEDIUM |
| An integer overflow flaw was found in pcl/pl/plfont.c:418 in pl_glyph_name in ghostscript. This issue may allow a local attacker to cause a denial of service via transforming a crafted PCL file to PDF format. | |||||
| CVE-2023-31429 | 1 Broadcom | 1 Fabric Operating System | 2023-08-04 | N/A | 5.5 MEDIUM |
| Brocade Fabric OS before Brocade Fabric OS v9.1.1c, v9.2.0 contains a vulnerability when using various commands such as “chassisdistribute”, “reboot”, “rasman”, errmoduleshow, errfilterset, hassiscfgperrthreshold, supportshowcfgdisable and supportshowcfgenable commands that can cause the content of shell interpreted variables to be printed in the terminal. | |||||
| CVE-2023-36118 | 1 Faculty Evaulation System Project | 1 Faculty Evaulation System | 2023-08-04 | N/A | 5.4 MEDIUM |
| Cross Site Scripting vulnerability in Faculty Evaulation System using PHP/MySQLi v.1.0 allows an attacker to execute arbitrary code via a crafted payload to the page parameter. | |||||