Search
Total
46623 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-27879 | 1 Intel | 8 Optane Memory H20 With Solid State Storage, Optane Memory H20 With Solid State Storage Firmware, Optane Ssd 905p and 5 more | 2023-11-29 | N/A | 4.6 MEDIUM |
| Improper access control in firmware for some Intel(R) Optane(TM) SSD products may allow an unauthenticated user to potentially enable information disclosure via physical access. | |||||
| CVE-2023-41145 | 1 Autodesk | 1 Customer Portal | 2023-11-29 | N/A | 5.3 MEDIUM |
| Autodesk users who no longer have an active license for an account can still access cases for that account. | |||||
| CVE-2023-41146 | 1 Autodesk | 1 Customer Portal | 2023-11-29 | N/A | 4.3 MEDIUM |
| Autodesk Customer Support Portal allows cases created by users under an account to see cases created by other users on the same account. | |||||
| CVE-2023-47392 | 1 Mercedes-benz | 1 Mercedes Me | 2023-11-29 | N/A | 5.3 MEDIUM |
| An access control issue in Mercedes me IOS APP v1.34.0 and below allows attackers to view the carts of other users via sending a crafted add order request. | |||||
| CVE-2023-47393 | 1 Mercedes-benz | 1 Mercedes Me | 2023-11-29 | N/A | 5.3 MEDIUM |
| An access control issue in Mercedes me IOS APP v1.34.0 and below allows attackers to view the maintenance orders of other users and access sensitive user information via unspecified vectors. | |||||
| CVE-2023-6178 | 1 Tenable | 1 Nessus | 2023-11-29 | N/A | 6.5 MEDIUM |
| An arbitrary file write vulnerability exists where an authenticated attacker with privileges on the managing application could alter Nessus Rules variables to overwrite arbitrary files on the remote host, which could lead to a denial of service condition. | |||||
| CVE-2023-6062 | 1 Tenable | 1 Nessus | 2023-11-29 | N/A | 6.5 MEDIUM |
| An arbitrary file write vulnerability exists where an authenticated, remote attacker with administrator privileges on the Nessus application could alter Nessus Rules variables to overwrite arbitrary files on the remote host, which could lead to a denial of service condition. | |||||
| CVE-2023-6199 | 1 Bookstackapp | 1 Book Stack | 2023-11-29 | N/A | 6.5 MEDIUM |
| Book Stack version 23.10.2 allows filtering local files on the server. This is possible because the application is vulnerable to SSRF. | |||||
| CVE-2023-6144 | 1 Armanidrisi | 1 Dev Blog | 2023-11-29 | N/A | 4.8 MEDIUM |
| Dev blog v1.0 allows to exploit an account takeover through the "user" cookie. With this, an attacker can access any user's session just by knowing their username. | |||||
| CVE-2023-6142 | 1 Armanidrisi | 1 Dev Blog | 2023-11-29 | N/A | 5.4 MEDIUM |
| Dev blog v1.0 allows to exploit an XSS through an unrestricted file upload, together with a bad entropy of filenames. With this an attacker can upload a malicious HTML file, then guess the filename of the uploaded file and send it to a potential victim. | |||||
| CVE-2023-28802 | 1 Zscaler | 1 Client Connector | 2023-11-29 | N/A | 5.4 MEDIUM |
| An Improper Validation of Integrity Check Value in Zscaler Client Connector on Windows allows an authenticated user to disable ZIA/ZPA by interrupting the service restart from Zscaler Diagnostics. This issue affects Client Connector: before 4.2.0.149. | |||||
| CVE-2023-48124 | 1 Nayemhowlader | 1 Sup Online Shopping | 2023-11-29 | N/A | 5.4 MEDIUM |
| Cross Site Scripting in SUP Online Shopping v.1.0 allows a remote attacker to execute arbitrary code via the Name, Email and Address parameters in the Register New Account component. | |||||
| CVE-2023-42752 | 1 Linux | 1 Linux Kernel | 2023-11-29 | N/A | 5.5 MEDIUM |
| An integer overflow flaw was found in the Linux kernel. This issue leads to the kernel allocating `skb_shared_info` in the userspace, which is exploitable in systems without SMAP protection since `skb_shared_info` contains references to function pointers. | |||||
| CVE-2022-3643 | 3 Broadcom, Debian, Linux | 3 Bcm5780, Debian Linux, Linux Kernel | 2023-11-29 | N/A | 6.5 MEDIUM |
| Guests can trigger NIC interface reset/abort/crash via netback It is possible for a guest to trigger a NIC interface reset/abort/crash in a Linux based network backend by sending certain kinds of packets. It appears to be an (unwritten?) assumption in the rest of the Linux network stack that packet protocol headers are all contained within the linear section of the SKB and some NICs behave badly if this is not the case. This has been reported to occur with Cisco (enic) and Broadcom NetXtrem II BCM5780 (bnx2x) though it may be an issue with other NICs/drivers as well. In case the frontend is sending requests with split headers, netback will forward those violating above mentioned assumption to the networking core, resulting in said misbehavior. | |||||
| CVE-2023-5598 | 1 Dassault | 2 3dswymer 3dexperience 2022, 3dswymer 3dexperience 2023 | 2023-11-29 | N/A | 5.4 MEDIUM |
| Stored Cross-site Scripting (XSS) vulnerabilities affecting 3DSwym in 3DSwymer from Release 3DEXPERIENCE R2022x through Release 3DEXPERIENCE R2023x allow an attacker to execute arbitrary script code. | |||||
| CVE-2023-20265 | 1 Cisco | 8 Ip Dect 110, Ip Dect 110 Firmware, Ip Dect 210 and 5 more | 2023-11-29 | N/A | 5.4 MEDIUM |
| A vulnerability in the web-based management interface of a small subset of Cisco IP Phones could allow an authenticated, remote attacker to conduct a stored cross-site scripting (XSS) attack against a user of the interface on an affected device. This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by persuading a user of an affected interface to view a page containing malicious HTML or script content. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. To exploit this vulnerability, the attacker must have valid credentials to access the web-based management interface of the affected device. | |||||
| CVE-2023-20208 | 1 Cisco | 1 Identity Services Engine | 2023-11-29 | N/A | 4.8 MEDIUM |
| A vulnerability in the web-based management interface of Cisco ISE could allow an authenticated, remote attacker to conduct an XSS attack against a user of the web-based management interface of an affected device. | |||||
| CVE-2023-47643 | 1 Salesagility | 1 Suitecrm | 2023-11-29 | N/A | 5.3 MEDIUM |
| SuiteCRM is a Customer Relationship Management (CRM) software application. Prior to version 8.4.2, Graphql Introspection is enabled without authentication, exposing the scheme defining all object types, arguments, and functions. An attacker can obtain the GraphQL schema and understand the entire attack surface of the API, including sensitive fields such as UserHash. This issue is patched in version 8.4.2. There are no known workarounds. | |||||
| CVE-2023-48299 | 1 Pytorch | 1 Torchserve | 2023-11-29 | N/A | 5.3 MEDIUM |
| TorchServe is a tool for serving and scaling PyTorch models in production. Starting in version 0.1.0 and prior to version 0.9.0, using the model/workflow management API, there is a chance of uploading potentially harmful archives that contain files that are extracted to any location on the filesystem that is within the process permissions. Leveraging this issue could aid third-party actors in hiding harmful code in open-source/public models, which can be downloaded from the internet, and take advantage of machines running Torchserve. The ZipSlip issue in TorchServe has been fixed by validating the paths of files contained within a zip archive before extracting them. TorchServe release 0.9.0 includes fixes to address the ZipSlip vulnerability. | |||||
| CVE-2023-47759 | 1 Premio | 1 Chaty | 2023-11-29 | N/A | 4.8 MEDIUM |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Premio Chaty plugin <= 3.1.2 versions. | |||||
| CVE-2023-30496 | 1 Mage-people | 1 Bus Ticket Booking With Seat Reservation | 2023-11-29 | N/A | 6.1 MEDIUM |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in MagePeople Team WpBusTicketly plugin <= 5.2.5 versions. | |||||
| CVE-2023-47014 | 1 Remyandrade | 1 Sticky Notes App | 2023-11-29 | N/A | 6.5 MEDIUM |
| A Cross-Site Request Forgery (CSRF) vulnerability in Sourcecodester Sticky Notes App Using PHP with Source Code v.1.0 allows a local attacker to obtain sensitive information via a crafted payload to add-note.php. | |||||
| CVE-2023-5234 | 1 Peachpay | 1 Related Products For Woocommerce | 2023-11-29 | N/A | 5.4 MEDIUM |
| The Related Products for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'woo-related' shortcode in versions up to, and including, 3.3.15 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2023-48705 | 1 Networktocode | 1 Nautobot | 2023-11-29 | N/A | 5.4 MEDIUM |
| Nautobot is a Network Source of Truth and Network Automation Platform built as a web application All users of Nautobot versions earlier than 1.6.6 or 2.0.5 are potentially affected by a cross-site scripting vulnerability. Due to incorrect usage of Django's `mark_safe()` API when rendering certain types of user-authored content; including custom links, job buttons, and computed fields; it is possible that users with permission to create or edit these types of content could craft a malicious payload (such as JavaScript code) that would be executed when rendering pages containing this content. The maintainers have fixed the incorrect uses of `mark_safe()` (generally by replacing them with appropriate use of `format_html()` instead) to prevent such malicious data from being executed. Users on Nautobot 1.6.x LTM should upgrade to v1.6.6 and users on Nautobot 2.0.x should upgrade to v2.0.5. Appropriate object permissions can and should be applied to restrict which users are permitted to create or edit the aforementioned types of user-authored content. Other than that, there is no direct workaround available. | |||||
| CVE-2023-47417 | 1 Paulrouget | 1 Dzslides | 2023-11-28 | N/A | 6.1 MEDIUM |
| Cross Site Scripting (XSS) vulnerability in the component /shells/embedder.html of DZSlides after v2011.07.25 allows attackers to execute arbitrary code via a crafted payload. | |||||
| CVE-2023-46471 | 1 Spaceapplications | 1 Yacms | 2023-11-28 | N/A | 5.4 MEDIUM |
| Cross Site Scripting vulnerability in Space Applications Services Yamcs v.5.8.6 allows a remote attacker to execute arbitrary code via the text variable scriptContainer of the ScriptViewer. | |||||
| CVE-2023-46470 | 1 Spaceapplications | 1 Yacms | 2023-11-28 | N/A | 5.4 MEDIUM |
| Cross Site Scripting vulnerability in Space Applications Services Yamcs v.5.8.6 allows a remote attacker to execute arbitrary code via crafted telecommand in the timeline view of the ArchiveBrowser. | |||||
| CVE-2023-47311 | 1 Spaceapplications | 1 Yacms | 2023-11-28 | N/A | 6.1 MEDIUM |
| An issue in Yamcs 5.8.6 allows attackers to send aribitrary telelcommands in a Command Stack via Clickjacking. | |||||
| CVE-2023-21416 | 1 Axis | 2 Axis Os, Axis Os 2022 | 2023-11-28 | N/A | 6.5 MEDIUM |
| Sandro Poppi, member of the AXIS OS Bug Bounty Program, has found that the VAPIX API dynamicoverlay.cgi was vulnerable to a Denial-of-Service attack allowing for an attacker to block access to the overlay configuration page in the web interface of the Axis device. This flaw can only be exploited after authenticating with an operator- or administrator-privileged service account however the impact is equal. Axis has released patched AXIS OS versions for the highlighted flaw. Please refer to the Axis security advisory for more information and solution. | |||||
| CVE-2023-48198 | 1 Grocy Project | 1 Grocy | 2023-11-28 | N/A | 5.4 MEDIUM |
| A Cross-Site Scripting (XSS) vulnerability in the 'product description' component within '/api/stock/products' of Grocy version <= 4.0.3 allows attackers to obtain a victim's cookies. | |||||
| CVE-2023-47839 | 1 Implecode | 1 Ecommerce Product Catalog | 2023-11-28 | N/A | 5.4 MEDIUM |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in impleCode eCommerce Product Catalog Plugin for WordPress plugin <= 3.3.26 versions. | |||||
| CVE-2023-40002 | 1 Booster | 1 Booster For Woocommerce | 2023-11-28 | N/A | 6.5 MEDIUM |
| Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Pluggabl LLC Booster for WooCommerce plugin <= 7.1.1 versions. | |||||
| CVE-2023-47790 | 1 Popozure | 1 Pz-linkcard | 2023-11-28 | N/A | 6.1 MEDIUM |
| Cross-Site Request Forgery (CSRF) leading to Cross-Site Scripting (XSS) vulnerability in Poporon Pz-LinkCard plugin <= 2.4.8 versions. | |||||
| CVE-2023-47833 | 1 Slimndap | 1 Theater For Wordpress | 2023-11-28 | N/A | 4.8 MEDIUM |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Jeroen Schmit Theater for WordPress plugin <= 0.18.3 versions. | |||||
| CVE-2023-47834 | 1 Quizandsurveymaster | 1 Quiz And Survey Master | 2023-11-28 | N/A | 5.4 MEDIUM |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ExpressTech Quiz And Survey Master plugin <= 8.1.13 versions. | |||||
| CVE-2023-47829 | 1 Codez | 1 Quick Call Button | 2023-11-28 | N/A | 4.8 MEDIUM |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Codez Quick Call Button plugin <= 1.2.9 versions. | |||||
| CVE-2023-47821 | 1 Jannisthuemmig | 1 Email Encoder | 2023-11-28 | N/A | 5.4 MEDIUM |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Jannis Thuemmig Email Encoder plugin <= 2.1.8 versions. | |||||
| CVE-2023-47817 | 1 Mmrs151 | 1 Daily Prayer Time | 2023-11-28 | N/A | 5.4 MEDIUM |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in mmrs151 Daily Prayer Time plugin <= 2023.10.13 versions. | |||||
| CVE-2023-47835 | 1 Ari-soft | 1 Ari Stream Quiz | 2023-11-28 | N/A | 5.4 MEDIUM |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ARI Soft ARI Stream Quiz – WordPress Quizzes Builder plugin <= 1.2.32 versions. | |||||
| CVE-2023-47816 | 1 Wpcharitable | 1 Charitable | 2023-11-28 | N/A | 5.4 MEDIUM |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Charitable Donations & Fundraising Team Donation Forms by Charitable plugin <= 1.7.0.13 versions. | |||||
| CVE-2023-47815 | 1 Venutius | 1 Bp Profile Shortcodes Extra | 2023-11-28 | N/A | 5.4 MEDIUM |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Venutius BP Profile Shortcodes Extra plugin <= 2.5.2 versions. | |||||
| CVE-2023-47814 | 1 Bmicalculator | 1 Bmi Calculator | 2023-11-28 | N/A | 5.4 MEDIUM |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Waterloo Plugins BMI Calculator Plugin plugin <= 1.0.3 versions. | |||||
| CVE-2023-47813 | 1 Grandslambert | 1 Better Rss Widget | 2023-11-28 | N/A | 5.4 MEDIUM |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in grandslambert Better RSS Widget plugin <= 2.8.1 versions. | |||||
| CVE-2023-47812 | 1 Bamboo Mcr | 1 Bamboo Columns | 2023-11-28 | N/A | 5.4 MEDIUM |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Bamboo Mcr Bamboo Columns plugin <= 1.6.1 versions. | |||||
| CVE-2023-47811 | 1 Sureshkumarmukhiya | 1 Anywhere Flash Embed | 2023-11-28 | N/A | 5.4 MEDIUM |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Suresh KUMAR Mukhiya Anywhere Flash Embed plugin <= 1.0.5 versions. | |||||
| CVE-2023-47810 | 1 Asdqwedev | 1 Ajax Domain Checker | 2023-11-28 | N/A | 5.4 MEDIUM |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Asdqwe Dev Ajax Domain Checker plugin <= 1.3.0 versions. | |||||
| CVE-2023-47809 | 1 Themepoints | 1 Accordion | 2023-11-28 | N/A | 5.4 MEDIUM |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Themepoints Accordion plugin <= 2.6 versions. | |||||
| CVE-2023-49061 | 1 Mozilla | 1 Firefox | 2023-11-28 | N/A | 6.1 MEDIUM |
| An attacker could have performed HTML template injection via Reader Mode and exfiltrated user information. This vulnerability affects Firefox for iOS < 120. | |||||
| CVE-2023-5537 | 1 Joselazo | 1 Delete Usermeta | 2023-11-28 | N/A | 4.3 MEDIUM |
| The Delete Usermeta plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.1.2. This is due to missing nonce validation on the delumet_options_page() function. This makes it possible for unauthenticated attackers to remove user meta for arbitrary users via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2023-5469 | 1 Stevenhenty | 1 Drop Shadow Boxes | 2023-11-28 | N/A | 5.4 MEDIUM |
| The Drop Shadow Boxes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'dropshadowbox' shortcode in versions up to, and including, 1.7.13 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||