Search
Total
46623 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-36030 | 1 Microsoft | 1 Dynamics 365 | 2023-11-20 | N/A | 6.1 MEDIUM |
| Microsoft Dynamics 365 Sales Spoofing Vulnerability | |||||
| CVE-2023-36031 | 1 Microsoft | 1 Dynamics 365 | 2023-11-20 | N/A | 5.4 MEDIUM |
| Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability | |||||
| CVE-2023-4949 | 2 Gnu, Xen | 2 Grub, Xen | 2023-11-20 | N/A | 6.7 MEDIUM |
| An attacker with local access to a system (either through a disk or external drive) can present a modified XFS partition to grub-legacy in such a way to exploit a memory corruption in grub’s XFS file system implementation. | |||||
| CVE-2023-42781 | 1 Apache | 1 Airflow | 2023-11-20 | N/A | 6.5 MEDIUM |
| Apache Airflow, versions before 2.7.3, has a vulnerability that allows an authorized user who has access to read specific DAGs only, to read information about task instances in other DAGs. This is a different issue than CVE-2023-42663 but leading to similar outcome. Users of Apache Airflow are advised to upgrade to version 2.7.3 or newer to mitigate the risk associated with this vulnerability. | |||||
| CVE-2023-47037 | 1 Apache | 1 Airflow | 2023-11-20 | N/A | 4.3 MEDIUM |
| We failed to apply CVE-2023-40611 in 2.7.1 and this vulnerability was marked as fixed then. Apache Airflow, versions before 2.7.3, is affected by a vulnerability that allows authenticated and DAG-view authorized Users to modify some DAG run detail values when submitting notes. This could have them alter details such as configuration parameters, start date, etc. Users should upgrade to version 2.7.3 or later which has removed the vulnerability. | |||||
| CVE-2023-47625 | 1 Dronecode | 1 Px4 Drone Autopilot | 2023-11-20 | N/A | 4.3 MEDIUM |
| PX4 autopilot is a flight control solution for drones. In affected versions a global buffer overflow vulnerability exists in the CrsfParser_TryParseCrsfPacket function in /src/drivers/rc/crsf_rc/CrsfParser.cpp:298 due to the invalid size check. A malicious user may create an RC packet remotely and that packet goes into the device where the _rcs_buf reads. The global buffer overflow vulnerability will be triggered and the drone can behave unexpectedly. This issue has been addressed in version 1.14.0. Users are advised to upgrade. There are no known workarounds for this vulnerability. | |||||
| CVE-2023-47801 | 1 Clickstudios | 1 Passwordstate | 2023-11-20 | N/A | 4.7 MEDIUM |
| An issue was discovered in Click Studios Passwordstate before 9811. Existing users (Security Administrators) could use the System Wide API Key to read or delete private password records when specifically used with the PasswordHistory API endpoint. It is also possible to use the Copy/Move Password Record API Key to Copy/Move private password records. | |||||
| CVE-2023-44333 | 3 Adobe, Apple, Microsoft | 3 Photoshop, Macos, Windows | 2023-11-20 | N/A | 5.5 MEDIUM |
| Adobe Photoshop versions 24.7.1 (and earlier) and 25.0 (and earlier) are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to bypass mitigations such as ASLR. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | |||||
| CVE-2023-44331 | 3 Adobe, Apple, Microsoft | 3 Photoshop, Macos, Windows | 2023-11-20 | N/A | 5.5 MEDIUM |
| Adobe Photoshop versions 24.7.1 (and earlier) and 25.0 (and earlier) are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to bypass mitigations such as ASLR. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | |||||
| CVE-2023-36042 | 1 Microsoft | 2 Visual Studio 2019, Visual Studio 2022 | 2023-11-20 | N/A | 5.5 MEDIUM |
| Visual Studio Denial of Service Vulnerability | |||||
| CVE-2023-36043 | 1 Microsoft | 1 System Center Operations Manager | 2023-11-20 | N/A | 6.5 MEDIUM |
| Open Management Infrastructure Information Disclosure Vulnerability | |||||
| CVE-2023-44296 | 1 Dell | 1 E-lab Navigator | 2023-11-20 | N/A | 5.5 MEDIUM |
| Dell ELab-Navigator, version 3.1.9 contains a hard-coded credential vulnerability. A local attacker could potentially exploit this vulnerability, leading to unauthorized access to sensitive data. Successful exploitation may result in the compromise of confidential user information. | |||||
| CVE-2023-36633 | 1 Fortinet | 1 Fortimail | 2023-11-20 | N/A | 5.4 MEDIUM |
| An improper authorization vulnerability [CWE-285] in FortiMail webmail version 7.2.0 through 7.2.2 and before 7.0.5 allows an authenticated attacker to see and modify the title of address book folders of other users via crafted HTTP or HTTPs requests. | |||||
| CVE-2023-47446 | 1 Phpgurukul | 1 Pre-school Enrollment System | 2023-11-20 | N/A | 5.4 MEDIUM |
| Pre-School Enrollment version 1.0 is vulnerable to Cross Site Scripting (XSS) on the profile.php page via fullname parameter. | |||||
| CVE-2023-41597 | 1 Eyoucms | 1 Eyoucms | 2023-11-20 | N/A | 6.1 MEDIUM |
| EyouCms v1.6.2 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the component /admin/twitter.php?active_t. | |||||
| CVE-2023-33304 | 1 Fortinet | 1 Forticlient | 2023-11-20 | N/A | 5.5 MEDIUM |
| A use of hard-coded credentials vulnerability in Fortinet FortiClient Windows 7.0.0 - 7.0.9 and 7.2.0 - 7.2.1 allows an attacker to bypass system protections via the use of static credentials. | |||||
| CVE-2023-28002 | 1 Fortinet | 2 Fortios, Fortiproxy | 2023-11-20 | N/A | 6.7 MEDIUM |
| An improper validation of integrity check value vulnerability [CWE-354] in FortiOS 7.2.0 through 7.2.3, 7.0.0 through 7.0.12, 6.4 all versions, 6.2 all versions, 6.0 all versions and FortiProxy 7.2 all versions, 7.0 all versions, 2.0 all versions VMs may allow a local attacker with admin privileges to boot a malicious image on the device and bypass the filesystem integrity check in place. | |||||
| CVE-2023-47367 | 1 Linecorp | 1 Line | 2023-11-20 | N/A | 6.5 MEDIUM |
| The leakage of channel access token in platinum clinic Line 13.6.1 allows remote attackers to send malicious notifications to victims. | |||||
| CVE-2023-47366 | 1 Linecorp | 1 Line | 2023-11-20 | N/A | 6.5 MEDIUM |
| The leakage of channel access token in craft_members Line 13.6.1 allows remote attackers to send malicious notifications to victims. | |||||
| CVE-2023-47372 | 1 Linecorp | 1 Line | 2023-11-20 | N/A | 6.5 MEDIUM |
| The leakage of channel access token in UPDATESALON C-LOUNGE Line 13.6.1 allows remote attackers to send malicious notifications to victims. | |||||
| CVE-2023-47370 | 1 Linecorp | 1 Line | 2023-11-20 | N/A | 6.5 MEDIUM |
| The leakage of channel access token in bluetrick Line 13.6.1 allows remote attackers to send malicious notifications to victims. | |||||
| CVE-2023-47368 | 1 Linecorp | 1 Line | 2023-11-20 | N/A | 6.5 MEDIUM |
| The leakage of channel access token in taketorinoyu Line 13.6.1 allows remote attackers to send malicious notifications to victims. | |||||
| CVE-2023-47369 | 1 Linecorp | 1 Line | 2023-11-20 | N/A | 6.5 MEDIUM |
| The leakage of channel access token in best_training_member Line 13.6.1 allows remote attackers to send malicious notifications. | |||||
| CVE-2023-47373 | 1 Linecorp | 1 Line | 2023-11-20 | N/A | 6.5 MEDIUM |
| The leakage of channel access token in DRAGON FAMILY Line 13.6.1 allows remote attackers to send malicious notifications to victims. | |||||
| CVE-2023-47660 | 1 Wpwham | 1 Product Visibility By Country For Woocommerce | 2023-11-20 | N/A | 4.8 MEDIUM |
| Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in WP Wham Product Visibility by Country for WooCommerce plugin <= 1.4.9 versions. | |||||
| CVE-2023-6100 | 1 Maiwei Safety Production Control Platform Project | 1 Maiwei Safety Production Control Platform | 2023-11-20 | N/A | 5.3 MEDIUM |
| A vulnerability classified as problematic was found in Maiwei Safety Production Control Platform 4.1. This vulnerability affects unknown code of the file /api/DataDictionary/GetItemList. The manipulation leads to information disclosure. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-245062 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2023-46099 | 1 Siemens | 1 Simatic Pcs Neo | 2023-11-20 | N/A | 4.8 MEDIUM |
| A vulnerability has been identified in SIMATIC PCS neo (All versions < V4.1). There is a stored cross-site scripting vulnerability in the Administration Console of the affected product, that could allow an attacker with high privileges to inject Javascript code into the application that is later executed by another legitimate user. | |||||
| CVE-2023-46096 | 1 Siemens | 1 Simatic Pcs Neo | 2023-11-20 | N/A | 6.5 MEDIUM |
| A vulnerability has been identified in SIMATIC PCS neo (All versions < V4.1). The PUD Manager of affected products does not properly authenticate users in the PUD Manager web service. This could allow an unauthenticated adjacent attacker to generate a privileged token and upload additional documents. | |||||
| CVE-2021-3774 | 1 Meross | 2 Mss550x, Mss550x Firmware | 2023-11-20 | 4.3 MEDIUM | 6.5 MEDIUM |
| Meross Smart Wi-Fi 2 Way Wall Switch (MSS550X), on its 3.1.3 version and before, creates an open Wi-Fi Access Point without the required security measures in its initial setup. This could allow a remote attacker to obtain the Wi-Fi SSID as well as the password configured by the user from Meross app via Http/JSON plain request. | |||||
| CVE-2021-3834 | 1 Artica | 1 Integria Ims | 2023-11-20 | 4.3 MEDIUM | 6.1 MEDIUM |
| Integria IMS in its 5.0.92 version does not filter correctly some fields related to the login.php file. An attacker could exploit this vulnerability in order to perform a cross-site scripting attack (XSS). | |||||
| CVE-2023-47659 | 1 Lava-code | 1 Lava Directory Manager | 2023-11-20 | N/A | 5.4 MEDIUM |
| Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in Lavacode Lava Directory Manager plugin <= 1.1.34 versions. | |||||
| CVE-2023-6103 | 1 Intelbras | 2 Rx 1500, Rx 1500 Firmware | 2023-11-20 | N/A | 5.4 MEDIUM |
| A vulnerability has been found in Intelbras RX 1500 1.1.9 and classified as problematic. Affected by this vulnerability is an unknown functionality of the file /WiFi.html of the component SSID Handler. The manipulation leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-245065 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2023-5669 | 1 Christiaanconover | 1 Featured Image Caption | 2023-11-20 | N/A | 5.4 MEDIUM |
| The Featured Image Caption plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode and post meta in all versions up to, and including, 0.8.10 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2023-34462 | 1 Netty | 1 Netty | 2023-11-18 | N/A | 6.5 MEDIUM |
| Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. The `SniHandler` can allocate up to 16MB of heap for each channel during the TLS handshake. When the handler or the channel does not have an idle timeout, it can be used to make a TCP server using the `SniHandler` to allocate 16MB of heap. The `SniHandler` class is a handler that waits for the TLS handshake to configure a `SslHandler` according to the indicated server name by the `ClientHello` record. For this matter it allocates a `ByteBuf` using the value defined in the `ClientHello` record. Normally the value of the packet should be smaller than the handshake packet but there are not checks done here and the way the code is written, it is possible to craft a packet that makes the `SslClientHelloHandler`. This vulnerability has been fixed in version 4.1.94.Final. | |||||
| CVE-2021-26345 | 1 Amd | 180 Epyc 7203, Epyc 7203 Firmware, Epyc 7203p and 177 more | 2023-11-18 | N/A | 4.9 MEDIUM |
| Failure to validate the value in APCB may allow a privileged attacker to tamper with the APCB token to force an out-of-bounds memory read potentially resulting in a denial of service. | |||||
| CVE-2015-10095 | 1 Woo-popup Project | 1 Woo-popup | 2023-11-18 | N/A | 6.1 MEDIUM |
| A vulnerability classified as problematic has been found in woo-popup Plugin up to 1.2.2 on WordPress. This affects an unknown part of the file admin/class-woo-popup-admin.php. The manipulation leads to cross site scripting. It is possible to initiate the attack remotely. Upgrading to version 1.3.0 is able to address this issue. The patch is named 7c76ac78f3e16015991b612ff4fa616af4ce9292. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-222327. | |||||
| CVE-2023-6073 | 1 Volkswagen | 2 Id.3, Id.3 Firmware | 2023-11-18 | N/A | 6.3 MEDIUM |
| Attacker can perform a Denial of Service attack to crash the ICAS 3 IVI ECU in a Volkswagen ID.3 (and other vehicles of the VW Group with the same hardware) and spoof volume setting commands to irreversibly turn on audio volume to maximum via REST API calls. | |||||
| CVE-2020-36644 | 1 Inline Svg Project | 1 Inline Svg | 2023-11-18 | N/A | 6.1 MEDIUM |
| A vulnerability has been found in jamesmartin Inline SVG up to 1.7.1 and classified as problematic. Affected by this vulnerability is an unknown functionality of the file lib/inline_svg/action_view/helpers.rb of the component URL Parameter Handler. The manipulation of the argument filename leads to cross site scripting. The attack can be launched remotely. Upgrading to version 1.7.2 is able to address this issue. The identifier of the patch is f5363b351508486021f99e083c92068cf2943621. It is recommended to upgrade the affected component. The identifier VDB-217597 was assigned to this vulnerability. | |||||
| CVE-2014-125089 | 1 Cention-chatserver Project | 1 Cention-chatserver | 2023-11-18 | N/A | 6.1 MEDIUM |
| A vulnerability was found in cention-chatserver 3.8.0-rc1. It has been declared as problematic. Affected by this vulnerability is the function _formatBody of the file lib/InternalChatProtocol.fe. The manipulation of the argument body leads to cross site scripting. The attack can be launched remotely. Upgrading to version 3.9 is able to address this issue. The identifier of the patch is c4c0258bbd18f6915f97f91d5fee625384096a26. It is recommended to upgrade the affected component. The identifier VDB-221497 was assigned to this vulnerability. | |||||
| CVE-2014-125092 | 1 Maxfoundry | 1 Maxbuttons | 2023-11-18 | N/A | 6.1 MEDIUM |
| A vulnerability was found in MaxButtons Plugin up to 1.26.0 on WordPress and classified as problematic. This issue affects the function maxbuttons_strip_px of the file includes/maxbuttons-button.php. The manipulation of the argument button_id leads to cross site scripting. The attack may be initiated remotely. Upgrading to version 1.26.1 is able to address this issue. The patch is named e74564c9e3b7429808e317f4916bd1c26ef0b806. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-222323. | |||||
| CVE-2014-125103 | 1 Bestwebsoft | 1 Twitter | 2023-11-18 | N/A | 6.1 MEDIUM |
| A vulnerability was found in BestWebSoft Twitter Plugin up to 1.3.2 on WordPress. It has been declared as problematic. Affected by this vulnerability is the function twttr_settings_page of the file twitter.php. The manipulation of the argument twttr_url_twitter/bws_license_key/bws_license_plugin leads to cross site scripting. The attack can be launched remotely. Upgrading to version 1.3.7 is able to address this issue. The patch is named e04d59ab578316ffeb204cf32dc71c0d0e1ff77c. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-230155. | |||||
| CVE-2021-39077 | 2 Ibm, Linux | 2 Security Guardium, Linux Kernel | 2023-11-18 | N/A | 4.4 MEDIUM |
| IBM Security Guardium 10.5, 10.6, 11.0, 11.1, 11.2, 11.3, and 11.4 stores user credentials in plain clear text which can be read by a local privileged user. IBM X-Force ID: 215587. ? | |||||
| CVE-2014-125090 | 1 Media Downloader Project | 1 Media Downloader | 2023-11-18 | N/A | 6.1 MEDIUM |
| A vulnerability was found in Media Downloader Plugin 0.1.992 on WordPress. It has been declared as problematic. This vulnerability affects the function dl_file_resumable of the file getfile.php. The manipulation of the argument file leads to cross site scripting. The attack can be initiated remotely. Upgrading to version 0.1.993 is able to address this issue. The patch is identified as 77beb720c682b9300035ab5f96eee225181d8a92. It is recommended to upgrade the affected component. VDB-222262 is the identifier assigned to this vulnerability. | |||||
| CVE-2023-41138 | 1 Appsanywhere | 1 Appsanywhere Client | 2023-11-18 | N/A | 6.7 MEDIUM |
| The AppsAnywhere macOS client-privileged helper can be tricked into executing arbitrary commands with elevated permissions by a local user process. | |||||
| CVE-2023-43505 | 1 Siemens | 1 Comos | 2023-11-18 | N/A | 6.5 MEDIUM |
| A vulnerability has been identified in COMOS (All versions). The affected application lacks proper access controls in SMB shares. This could allow an attacker to access files that the user should not have access to. | |||||
| CVE-2023-46854 | 1 Proxmox | 1 Proxmox-widget-toolkit | 2023-11-17 | N/A | 6.1 MEDIUM |
| Proxmox proxmox-widget-toolkit before 4.0.9, as used in multiple Proxmox products, allows XSS via the edit notes feature. | |||||
| CVE-2023-44762 | 1 Concretecms | 1 Concrete Cms | 2023-11-17 | N/A | 5.4 MEDIUM |
| A Cross Site Scripting (XSS) vulnerability in Concrete CMS from versions 9.2.0 to 9.2.2 allows an attacker to execute arbitrary code via a crafted script to the Tags from Settings - Tags. | |||||
| CVE-2023-43901 | 1 Emsigner | 1 Emsigner | 2023-11-17 | N/A | 5.9 MEDIUM |
| Incorrect access control in the AdHoc User creation form of EMSigner v2.8.7 allows unauthenticated attackers to arbitrarily modify usernames and privileges by using the email address of a registered user. | |||||
| CVE-2023-6098 | 1 Icssolution | 1 Ics Business Manager | 2023-11-17 | N/A | 6.1 MEDIUM |
| An XSS vulnerability has been discovered in ICS Business Manager affecting version 7.06.0028.7066. A remote attacker could send a specially crafted string exploiting the obdd_act parameter, allowing the attacker to steal an authenticated user's session, and perform actions within the application. | |||||
| CVE-2023-38515 | 1 Church Admin Project | 1 Church Admin | 2023-11-17 | N/A | 4.9 MEDIUM |
| Server-Side Request Forgery (SSRF) vulnerability in Andy Moyle Church Admin.This issue affects Church Admin: from n/a through 3.7.56. | |||||