Search
Total
46623 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-38906 | 1 Tp-link | 3 Tapo, Tapo L530e, Tapo L530e Firmware | 2023-08-25 | N/A | 6.5 MEDIUM |
| An issue in TPLink Smart bulb Tapo series L530 v.1.0.0 and Tapo Application v.2.8.14 allows a remote attacker to obtain sensitive information via the authentication code for the UDP message. | |||||
| CVE-2023-38908 | 1 Tp-link | 3 Tapo, Tapo L530e, Tapo L530e Firmware | 2023-08-25 | N/A | 6.5 MEDIUM |
| An issue in TPLink Smart bulb Tapo series L530 v.1.0.0 and Tapo Application v.2.8.14 allows a remote attacker to obtain sensitive information via the TSKEP authentication function. | |||||
| CVE-2023-38909 | 1 Tp-link | 3 Tapo, Tapo L530e, Tapo L530e Firmware | 2023-08-25 | N/A | 6.5 MEDIUM |
| An issue in TPLink Smart bulb Tapo series L530 v.1.0.0 and Tapo Application v.2.8.14 allows a remote attacker to obtain sensitive information via the IV component in the AES128-CBC function. | |||||
| CVE-2023-4435 | 1 Hamza417 | 1 Inure | 2023-08-25 | N/A | 5.5 MEDIUM |
| Improper Input Validation in GitHub repository hamza417/inure prior to build88. | |||||
| CVE-2020-21710 | 1 Artifex | 1 Ghostscript | 2023-08-25 | N/A | 5.5 MEDIUM |
| A divide by zero issue discovered in eps_print_page in gdevepsn.c in Artifex Software GhostScript 9.50 allows remote attackers to cause a denial of service via opening of crafted PDF file. | |||||
| CVE-2023-3936 | 1 Adenion | 1 Blog2social | 2023-08-25 | N/A | 6.1 MEDIUM |
| The Blog2Social WordPress plugin before 7.2.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin | |||||
| CVE-2023-3667 | 1 Bitapps | 1 Bit Assist | 2023-08-25 | N/A | 4.8 MEDIUM |
| The Bit Assist WordPress plugin before 1.1.9 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) | |||||
| CVE-2023-3954 | 1 Multiparcels | 1 Multiparcels Shipping For Woocommerce | 2023-08-25 | N/A | 6.1 MEDIUM |
| The MultiParcels Shipping For WooCommerce WordPress plugin before 1.15.4 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin | |||||
| CVE-2023-40068 | 1 Advancedcustomfields | 1 Advanced Custom Fields | 2023-08-25 | N/A | 5.4 MEDIUM |
| Cross-site scripting vulnerability in Advanced Custom Fields versions 6.1.0 to 6.1.7 and Advanced Custom Fields Pro versions 6.1.0 to 6.1.7 allows a remote authenticated attacker to execute an arbitrary script on the web browser of the user who is logging in to the product with the administrative privilege. | |||||
| CVE-2023-3481 | 1 Google | 1 Critters | 2023-08-25 | N/A | 6.1 MEDIUM |
| Critters versions 0.0.17-0.0.19 have an issue when parsing the HTML, which leads to a potential cross-site scripting (XSS) bug. We recommend upgrading to version 0.0.20 of the extension. | |||||
| CVE-2023-39543 | 1 Luxsoft | 1 Luxcal Web Calendar | 2023-08-25 | N/A | 6.1 MEDIUM |
| Cross-site scripting vulnerability in LuxCal Web Calendar prior to 5.2.3M (MySQL version) and LuxCal Web Calendar prior to 5.2.3L (SQLite version) allows a remote unauthenticated attacker to execute an arbitrary script on the web browser of the user who is using the product. | |||||
| CVE-2020-22181 | 1 Samsung | 2 Sww-3400rw, Sww-3400rw Firmware | 2023-08-25 | N/A | 6.1 MEDIUM |
| A reflected cross site scripting (XSS) vulnerability was discovered on Samsung sww-3400rw Router devices via the m2 parameter of the sess-bin/command.cgi | |||||
| CVE-2020-24294 | 1 Freeimage Project | 1 Freeimage | 2023-08-25 | N/A | 6.5 MEDIUM |
| Buffer Overflow vulnerability in psdParser::UnpackRLE function in PSDParser.cpp in FreeImage 3.19.0 [r1859] allows remote attackers to cuase a denial of service via opening of crafted psd file. | |||||
| CVE-2020-23992 | 1 Nagios | 1 Nagios Xi | 2023-08-25 | N/A | 6.1 MEDIUM |
| Cross Site Scripting (XSS) in Nagios XI 5.7.1 allows remote attackers to run arbitrary code via returnUrl parameter in a crafted GET request. | |||||
| CVE-2023-36674 | 1 Mediawiki | 1 Mediawiki | 2023-08-25 | N/A | 5.3 MEDIUM |
| An issue was discovered in MediaWiki before 1.35.11, 1.36.x through 1.38.x before 1.38.7, 1.39.x before 1.39.4, and 1.40.x before 1.40.1. It is possible to bypass the Bad image list (aka badFile) by using the thumb parameter (aka Manualthumb) of the File syntax. | |||||
| CVE-2023-40877 | 1 Dedecms | 1 Dedecms | 2023-08-25 | N/A | 5.4 MEDIUM |
| DedeCMS up to and including 5.7.110 was discovered to contain a cross-site scripting (XSS) vulnerability at /dede/freelist_edit.php via the title parameter. | |||||
| CVE-2023-40876 | 1 Dedecms | 1 Dedecms | 2023-08-25 | N/A | 5.4 MEDIUM |
| DedeCMS up to and including 5.7.110 was discovered to contain a cross-site scripting (XSS) vulnerability at /dede/freelist_add.php via the title parameter. | |||||
| CVE-2023-40875 | 1 Dedecms | 1 Dedecms | 2023-08-25 | N/A | 5.4 MEDIUM |
| DedeCMS up to and including 5.7.110 was discovered to contain multiple cross-site scripting (XSS) vulnerabilities at /dede/vote_edit.php via the votename and votenote parameters. | |||||
| CVE-2023-40874 | 1 Dedecms | 1 Dedecms | 2023-08-25 | N/A | 5.4 MEDIUM |
| DedeCMS up to and including 5.7.110 was discovered to contain multiple cross-site scripting (XSS) vulnerabilities at /dede/vote_add.php via the votename and voteitem1 parameters. | |||||
| CVE-2023-36317 | 1 Student Study Center Desk Management System Project | 1 Student Study Center Desk Management System | 2023-08-25 | N/A | 4.8 MEDIUM |
| Cross Site Scripting (XSS) vulnerability in sourcecodester Student Study Center Desk Management System 1.0 allows attackers to run arbitrary code via crafted GET request to web application URL. | |||||
| CVE-2023-28994 | 1 Uxthemes | 1 Flatsome | 2023-08-25 | N/A | 6.1 MEDIUM |
| Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in UX-themes Flatsome plugin <= 3.16.8 versions. | |||||
| CVE-2023-32755 | 2023-08-25 | N/A | 5.3 MEDIUM | ||
| e-Excellence U-Office Force generates an error message in webiste service. An unauthenticated remote attacker can obtain partial sensitive system information from error message by sending a crafted command. | |||||
| CVE-2023-4520 | 2023-08-25 | N/A | 5.4 MEDIUM | ||
| The FV Flowplayer Video Player plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘_fv_player_user_video’ parameter saved via the 'save' function hooked via init, and the plugin is also vulnerable to Arbitrary Usermeta Update via the 'save' function in versions up to, and including, 7.5.37.7212 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page, and makes it possible to update the user metas arbitrarily, but the meta value can only be a string. | |||||
| CVE-2020-19724 | 1 Gnu | 1 Binutils | 2023-08-25 | N/A | 5.5 MEDIUM |
| A memory consumption issue in get_data function in binutils/nm.c in GNU nm before 2.34 allows attackers to cause a denial of service via crafted command. | |||||
| CVE-2020-18839 | 1 Freedesktop | 1 Poppler | 2023-08-25 | N/A | 6.5 MEDIUM |
| Buffer Overflow vulnerability in HtmlOutputDev::page in poppler 0.75.0 allows attackers to cause a denial of service. | |||||
| CVE-2023-23565 | 1 Geomatika | 1 Isigeo Web | 2023-08-24 | N/A | 4.9 MEDIUM |
| An issue was discovered in Geomatika IsiGeo Web 6.0. It allows remote authenticated users to retrieve PHP files from the server via Local File Inclusion. | |||||
| CVE-2023-23563 | 1 Geomatika | 1 Isigeo Web | 2023-08-24 | N/A | 6.5 MEDIUM |
| An issue was discovered in Geomatika IsiGeo Web 6.0. It allows remote authenticated users to obtain sensitive database content via SQL Injection. | |||||
| CVE-2020-21490 | 1 Gnu | 1 Binutils | 2023-08-24 | N/A | 5.5 MEDIUM |
| An issue was discovered in GNU Binutils 2.34. It is a memory leak when process microblaze-dis.c. This one will consume memory on each insn disassembled. | |||||
| CVE-2020-21047 | 1 Elfutils Project | 1 Elfutils | 2023-08-24 | N/A | 5.5 MEDIUM |
| The libcpu component which is used by libasm of elfutils version 0.177 (git 47780c9e), suffers from denial-of-service vulnerability caused by application crashes due to out-of-bounds write (CWE-787), off-by-one error (CWE-193) and reachable assertion (CWE-617); to exploit the vulnerability, the attackers need to craft certain ELF files which bypass the missing bound checks. | |||||
| CVE-2023-3366 | 1 Multiparcels | 1 Multiparcels Shipping For Woocommerce | 2023-08-24 | N/A | 4.3 MEDIUM |
| The MultiParcels Shipping For WooCommerce WordPress plugin before 1.15.2 does not have CRSF check when deleting a shipment, allowing attackers to make any logged in user, delete arbitrary shipment via a CSRF attack | |||||
| CVE-2023-4302 | 1 Jenkins | 1 Fortify | 2023-08-24 | N/A | 4.3 MEDIUM |
| A missing permission check in Jenkins Fortify Plugin 22.1.38 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. | |||||
| CVE-2023-4301 | 1 Jenkins | 1 Fortify | 2023-08-24 | N/A | 5.4 MEDIUM |
| A cross-site request forgery (CSRF) vulnerability in Jenkins Fortify Plugin 22.1.38 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. | |||||
| CVE-2023-4303 | 1 Jenkins | 1 Fortify | 2023-08-24 | N/A | 6.1 MEDIUM |
| Jenkins Fortify Plugin 22.1.38 and earlier does not escape the error message for a form validation method, resulting in an HTML injection vulnerability. | |||||
| CVE-2023-4454 | 1 Wallabag | 1 Wallabag | 2023-08-24 | N/A | 5.7 MEDIUM |
| Cross-Site Request Forgery (CSRF) in GitHub repository wallabag/wallabag prior to 2.6.3. | |||||
| CVE-2023-4453 | 1 Pimcore | 1 Pimcore | 2023-08-24 | N/A | 5.4 MEDIUM |
| Cross-site Scripting (XSS) - Reflected in GitHub repository pimcore/pimcore prior to 10.6.8. | |||||
| CVE-2023-4455 | 1 Wallabag | 1 Wallabag | 2023-08-24 | N/A | 6.5 MEDIUM |
| Cross-Site Request Forgery (CSRF) in GitHub repository wallabag/wallabag prior to 2.6.3. | |||||
| CVE-2023-39094 | 1 Zerowdd | 1 Studentmanager | 2023-08-24 | N/A | 5.4 MEDIUM |
| Cross Site Scripting vulnerability in ZeroWdd studentmanager v.1.0 allows a remote attacker to execute arbitrary code via the username parameter in the student list function. | |||||
| CVE-2023-4451 | 1 Agentejo | 1 Cockpit | 2023-08-24 | N/A | 6.1 MEDIUM |
| Cross-site Scripting (XSS) - Reflected in GitHub repository cockpit-hq/cockpit prior to 2.6.4. | |||||
| CVE-2023-2971 | 3 Linux, Microsoft, Typora | 3 Linux Kernel, Windows, Typora | 2023-08-24 | N/A | 6.5 MEDIUM |
| Improper path handling in Typora before 1.7.0-dev on Windows and Linux allows a crafted webpage to access local files and exfiltrate them to remote web servers via "typora://app/typemark/". This vulnerability can be exploited if a user opens a malicious markdown file in Typora, or copies text from a malicious webpage and paste it into Typora. | |||||
| CVE-2023-4028 | 1 Lenovo | 58 13w Yoga, 13w Yoga Firmware, 13w Yoga Gen 2 and 55 more | 2023-08-24 | N/A | 6.7 MEDIUM |
| A buffer overflow has been identified in the SystemUserMasterHddPwdDxe driver in some Lenovo Notebook products which may allow an attacker with local access and elevated privileges to execute arbitrary code. | |||||
| CVE-2023-34419 | 1 Lenovo | 60 Legion 5-15ach6, Legion 5-15ach6 Firmware, Legion 5-15ach6a and 57 more | 2023-08-24 | N/A | 6.7 MEDIUM |
| A buffer overflow has been identified in the SetupUtility driver in some Lenovo Notebook products which may allow an attacker with local access and elevated privileges to execute arbitrary code. | |||||
| CVE-2023-4392 | 1 Assaabloy | 1 Control Id Gerencia Web | 2023-08-24 | N/A | 5.3 MEDIUM |
| A vulnerability was found in Control iD Gerencia Web 1.30 and classified as problematic. Affected by this issue is some unknown functionality of the component Cookie Handler. The manipulation leads to cleartext storage of sensitive information. The attack may be launched remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-237380. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2023-39250 | 1 Dell | 1 Storage Integration Tools For Vmware | 2023-08-24 | N/A | 5.5 MEDIUM |
| Dell Storage Integration Tools for VMware (DSITV) 06.01.00.016 contain an information disclosure vulnerability. A local low-privileged malicious user could potentially exploit this vulnerability to retrieve an encryption key that could aid in further attacks. | |||||
| CVE-2023-27471 | 1 Insyde | 1 Insydeh2o | 2023-08-24 | N/A | 5.5 MEDIUM |
| An issue was discovered in Insyde InsydeH2O with kernel 5.0 through 5.5. UEFI implementations do not correctly protect and validate information contained in the 'MeSetup' UEFI variable. On some systems, this variable can be overwritten using operating system APIs. Exploitation of this vulnerability could potentially lead to denial of service for the platform. | |||||
| CVE-2023-21264 | 1 Google | 1 Android | 2023-08-24 | N/A | 6.7 MEDIUM |
| In multiple functions of mem_protect.c, there is a possible way to access hypervisor memory due to a memory access check in the wrong place. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. | |||||
| CVE-2023-21140 | 1 Google | 1 Android | 2023-08-24 | N/A | 6.8 MEDIUM |
| In onCreate of ManagePermissionsActivity.java, there is a possible way to bypass factory reset protections due to a missing permission check. This could lead to local escalation of privilege with physical access to a device that's been factory reset with no additional execution privileges needed. User interaction is not needed for exploitation. | |||||
| CVE-2023-21134 | 1 Google | 1 Android | 2023-08-24 | N/A | 6.8 MEDIUM |
| In onCreate of ManagePermissionsActivity.java, there is a possible way to bypass factory reset protections due to a missing permission check. This could lead to local escalation of privilege with physical access to a device that's been factory reset with no additional execution privileges needed. User interaction is not needed for exploitation. | |||||
| CVE-2023-21133 | 1 Google | 1 Android | 2023-08-24 | N/A | 6.8 MEDIUM |
| In onCreate of ManagePermissionsActivity.java, there is a possible way to bypass factory reset protections due to a missing permission check. This could lead to local escalation of privilege with physical access to a device that's been factory reset with no additional execution privileges needed. User interaction is not needed for exploitation. | |||||
| CVE-2023-21132 | 1 Google | 1 Android | 2023-08-24 | N/A | 6.8 MEDIUM |
| In onCreate of ManagePermissionsActivity.java, there is a possible way to bypass factory reset protections due to a missing permission check. This could lead to local escalation of privilege with physical access to a device that's been factory reset with no additional execution privileges needed. User interaction is not needed for exploitation. | |||||
| CVE-2023-40168 | 1 Turbowarp | 1 Turbowarp Desktop | 2023-08-24 | N/A | 6.5 MEDIUM |
| TurboWarp is a desktop application that compiles scratch projects to JavaScript. TurboWarp Desktop versions prior to version 1.8.0 allowed a malicious project or custom extension to read arbitrary files from disk and upload them to a remote server. The only required user interaction is opening the sb3 file or loading the extension. The web version of TurboWarp is not affected. This bug has been addressed in commit `55e07e99b59` after an initial fix which was reverted. Users are advised to upgrade to version 1.8.0 or later. Users unable to upgrade should avoid opening sb3 files or loading extensions from untrusted sources. | |||||