Search
Total
46623 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-21267 | 1 Google | 1 Android | 2023-08-24 | N/A | 5.5 MEDIUM |
| In doKeyguardLocked of KeyguardViewMediator.java, there is a possible way to bypass lockdown mode with screen pinning due to a logic error in the code. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. | |||||
| CVE-2023-25399 | 1 Scipy | 1 Scipy | 2023-08-24 | N/A | 5.5 MEDIUM |
| A refcounting issue which leads to potential memory leak was discovered in scipy commit 8627df31ab in Py_FindObjects() function. | |||||
| CVE-2023-27520 | 1 Epson | 240 Esifnw1, Esifnw1 Firmware, Esnsb1 and 237 more | 2023-08-24 | N/A | 6.5 MEDIUM |
| Cross-site request forgery (CSRF) vulnerability in SEIKO EPSON printers/network interface Web Config allows a remote unauthenticated attacker to hijack the authentication and perform unintended operations by having a logged-in user view a malicious page. [Note] Web Config is the software that allows users to check the status and change the settings of SEIKO EPSON printers/network interface via a web browser. According to SEIKO EPSON CORPORATION, it is also called as Remote Manager in some products. Web Config is pre-installed in some printers/network interface provided by SEIKO EPSON CORPORATION. For the details of the affected product names/model numbers, refer to the information provided by the vendor. | |||||
| CVE-2023-23572 | 1 Epson | 100 Esifnw1, Esifnw1 Firmware, Esnsb1 and 97 more | 2023-08-24 | N/A | 4.8 MEDIUM |
| Cross-site scripting vulnerability in SEIKO EPSON printers/network interface Web Config allows a remote authenticated attacker with an administrative privilege to inject an arbitrary script. [Note] Web Config is the software that allows users to check the status and change the settings of SEIKO EPSON printers/network interface via a web browser. According to SEIKO EPSON CORPORATION, it is also called as Remote Manager in some products. Web Config is pre-installed in some printers/network interface provided by SEIKO EPSON CORPORATION. For the details of the affected product names/model numbers, refer to the information provided by the vendor. | |||||
| CVE-2023-37581 | 1 Apache | 1 Roller | 2023-08-24 | N/A | 5.4 MEDIUM |
| Insufficient input validation and sanitation in Weblog Category name, Website About and File Upload features in all versions of Apache Roller on all platforms allows an authenticated user to perform an XSS attack. Mitigation: if you do not have Roller configured for untrusted users, then you need to do nothing because you trust your users to author raw HTML and other web content. If you are running with untrusted users then you should upgrade to Roller 6.1.2 and you should disable Roller's File Upload feature.? | |||||
| CVE-2023-4360 | 3 Debian, Fedoraproject, Google | 3 Debian Linux, Fedora, Chrome | 2023-08-24 | N/A | 4.3 MEDIUM |
| Inappropriate implementation in Color in Google Chrome prior to 116.0.5845.96 allowed a remote attacker to obfuscate security UI via a crafted HTML page. (Chromium security severity: Medium) | |||||
| CVE-2023-4359 | 4 Apple, Debian, Fedoraproject and 1 more | 4 Iphone Os, Debian Linux, Fedora and 1 more | 2023-08-24 | N/A | 5.3 MEDIUM |
| Inappropriate implementation in App Launcher in Google Chrome on iOS prior to 116.0.5845.96 allowed a remote attacker to potentially spoof elements of the security UI via a crafted HTML page. (Chromium security severity: Medium) | |||||
| CVE-2023-3195 | 2 Fedoraproject, Imagemagick | 3 Extra Packages For Enterprise Linux, Fedora, Imagemagick | 2023-08-24 | N/A | 5.5 MEDIUM |
| A stack-based buffer overflow issue was found in ImageMagick's coders/tiff.c. This flaw allows an attacker to trick the user into opening a specially crafted malicious tiff file, causing an application to crash, resulting in a denial of service. | |||||
| CVE-2023-34475 | 2 Fedoraproject, Imagemagick | 3 Extra Packages For Enterprise Linux, Fedora, Imagemagick | 2023-08-24 | N/A | 5.5 MEDIUM |
| A heap use after free issue was discovered in ImageMagick's ReplaceXmpValue() function in MagickCore/profile.c. An attacker could trick user to open a specially crafted file to convert, triggering an heap-use-after-free write error, allowing an application to crash, resulting in a denial of service. | |||||
| CVE-2023-34474 | 2 Fedoraproject, Imagemagick | 3 Extra Packages For Enterprise Linux, Fedora, Imagemagick | 2023-08-24 | N/A | 5.5 MEDIUM |
| A heap-based buffer overflow issue was discovered in ImageMagick's ReadTIM2ImageData() function in coders/tim2.c. A local attacker could trick the user in opening specially crafted file, triggering an out-of-bounds read error, allowing an application to crash, resulting in a denial of service. | |||||
| CVE-2023-2157 | 1 Imagemagick | 1 Imagemagick | 2023-08-24 | N/A | 5.5 MEDIUM |
| A heap-based buffer overflow vulnerability was found in the ImageMagick package that can lead to the application crashing. | |||||
| CVE-2023-34412 | 2 Helmholz, Redlion | 34 Rex 200, Rex 200 Firmware, Rex 250 and 31 more | 2023-08-23 | N/A | 5.4 MEDIUM |
| A vulnerability in Red Lion Europe mbNET/mbNET.rokey and Helmholz REX 200 and REX 250 devices with firmware lower 7.3.2 allows an authenticated remote attacker to store an arbitrary JavaScript payload on the diagnosis page of the device. That page is loaded immediately after login in to the device and runs the stored payload, allowing the attacker to read and write browser data and reduce system performance. | |||||
| CVE-2023-20111 | 1 Cisco | 1 Identity Services Engine | 2023-08-23 | N/A | 6.5 MEDIUM |
| A vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to access sensitive information. This vulnerability is due to the improper storage of sensitive information within the web-based management interface. An attacker could exploit this vulnerability by logging in to the web-based management interface and viewing hidden fields within the application. A successful exploit could allow the attacker to access sensitive information, including device entry credentials, that could aid the attacker in further attacks. | |||||
| CVE-2023-4394 | 1 Linux | 1 Linux Kernel | 2023-08-23 | N/A | 6.0 MEDIUM |
| A use-after-free flaw was found in btrfs_get_dev_args_from_path in fs/btrfs/volumes.c in btrfs file-system in the Linux Kernel. This flaw allows a local attacker with special privileges to cause a system crash or leak internal kernel information | |||||
| CVE-2023-32106 | 1 Fahad Mahmood | 1 Wp Docs | 2023-08-23 | N/A | 6.1 MEDIUM |
| Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Fahad Mahmood WP Docs plugin <= 1.9.9 versions. | |||||
| CVE-2023-31218 | 1 Pluginus | 1 Wolf - Wordpress Posts Bulk Editor And Products Manager Professional | 2023-08-23 | N/A | 6.1 MEDIUM |
| Cross-Site Request Forgery (CSRF) leading to Stored Cross-Site Scripting (XSS) vulnerability in realmag777 WOLF – WordPress Posts Bulk Editor and Manager Professional plugin <= 1.0.6 versions. | |||||
| CVE-2023-31232 | 1 Artiss | 1 Plugins List | 2023-08-23 | N/A | 4.8 MEDIUM |
| Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in David Artiss Plugins List plugin <= 2.5 versions. | |||||
| CVE-2023-20862 | 2 Netapp, Vmware | 2 Active Iq Unified Manager, Spring Security | 2023-08-23 | N/A | 6.3 MEDIUM |
| In Spring Security, versions 5.7.x prior to 5.7.8, versions 5.8.x prior to 5.8.3, and versions 6.0.x prior to 6.0.3, the logout support does not properly clean the security context if using serialized versions. Additionally, it is not possible to explicitly save an empty security context to the HttpSessionSecurityContextRepository. This vulnerability can keep users authenticated even after they performed logout. Users of affected versions should apply the following mitigation. 5.7.x users should upgrade to 5.7.8. 5.8.x users should upgrade to 5.8.3. 6.0.x users should upgrade to 6.0.3. | |||||
| CVE-2023-32105 | 1 Wp-pizza | 1 Wppizza | 2023-08-23 | N/A | 6.1 MEDIUM |
| Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in ollybach WPPizza – A Restaurant Plugin plugin <= 3.17.1 versions. | |||||
| CVE-2023-32103 | 1 Themepalace | 1 Tp Education | 2023-08-23 | N/A | 5.4 MEDIUM |
| Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in Theme Palace TP Education plugin <= 4.4 versions. | |||||
| CVE-2023-31492 | 1 Zohocorp | 1 Manageengine Admanager Plus | 2023-08-23 | N/A | 6.5 MEDIUM |
| Zoho ManageEngine ADManager Plus version 7182 and prior disclosed the default passwords for the account restoration of unauthorized domains to the authenticated users. | |||||
| CVE-2023-4439 | 1 Card Holder Management System Project | 1 Card Holder Management System | 2023-08-23 | N/A | 5.3 MEDIUM |
| A vulnerability was found in SourceCodester Card Holder Management System 1.0 and classified as problematic. Affected by this issue is some unknown functionality of the component Minus Value Handler. The manipulation leads to improper validation of specified quantity in input. The attack may be launched remotely. The identifier of this vulnerability is VDB-237560. | |||||
| CVE-2023-39743 | 1 Pete4abw | 1 Lzma Software Development Kit | 2023-08-23 | N/A | 5.3 MEDIUM |
| lrzip-next LZMA v23.01 was discovered to contain an access violation via the component /bz3_decode_block src/libbz3.c. | |||||
| CVE-2023-32107 | 1 Ays-pro | 1 Photo Gallery | 2023-08-23 | N/A | 6.1 MEDIUM |
| Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Photo Gallery Team Photo Gallery by Ays – Responsive Image Gallery plugin <= 5.1.3 versions. | |||||
| CVE-2023-39741 | 1 Long Range Zip Project | 1 Long Range Zip | 2023-08-23 | N/A | 5.5 MEDIUM |
| lrzip v0.651 was discovered to contain a heap overflow via the libzpaq::PostProcessor::write(int) function at /libzpaq/libzpaq.cpp. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted file. | |||||
| CVE-2023-40311 | 1 Opennms | 2 Horizon, Meridian | 2023-08-23 | N/A | 4.8 MEDIUM |
| Multiple stored XSS were found on different JSP files with unsanitized parameters in OpenMNS Horizon 31.0.8 and versions earlier than 32.0.2 on multiple platforms that allow an attacker to store on database and then load on JSPs or Angular templates. The solution is to upgrade to Meridian 2023.1.6, 2022.1.19, 2021.1.30, 2020.1.38 or Horizon 32.0.2 or newer. Meridian and Horizon installation instructions state that they are intended for installation within an organization's private networks and should not be directly accessible from the Internet. OpenNMS thanks Jordi Miralles Comins for reporting this issue. | |||||
| CVE-2023-27576 | 1 Phplist | 1 Phplist | 2023-08-23 | N/A | 6.7 MEDIUM |
| An issue was discovered in phpList 3.6.12. Due to an access error, it was possible to manipulate and edit data of the system's super admin, allowing one to perform an account takeover of the user with super-admin permission. | |||||
| CVE-2023-40037 | 1 Apache | 1 Nifi | 2023-08-23 | N/A | 6.5 MEDIUM |
| Apache NiFi 1.21.0 through 1.23.0 support JDBC and JNDI JMS access in several Processors and Controller Services with connection URL validation that does not provide sufficient protection against crafted inputs. An authenticated and authorized user can bypass connection URL validation using custom input formatting. The resolution enhances connection URL validation and introduces validation for additional related properties. Upgrading to Apache NiFi 1.23.1 is the recommended mitigation. | |||||
| CVE-2023-32130 | 1 Danielpowney | 1 Multi Rating | 2023-08-23 | N/A | 4.8 MEDIUM |
| Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Daniel Powney Multi Rating plugin <= 5.0.6 versions. | |||||
| CVE-2023-4433 | 1 Agentejo | 1 Cockpit | 2023-08-23 | N/A | 5.4 MEDIUM |
| Cross-site Scripting (XSS) - Stored in GitHub repository cockpit-hq/cockpit prior to 2.6.4. | |||||
| CVE-2023-4432 | 1 Agentejo | 1 Cockpit | 2023-08-23 | N/A | 6.1 MEDIUM |
| Cross-site Scripting (XSS) - Reflected in GitHub repository cockpit-hq/cockpit prior to 2.6.4. | |||||
| CVE-2023-40312 | 1 Opennms | 2 Horizon, Meridian | 2023-08-23 | N/A | 5.2 MEDIUM |
| Multiple reflected XSS were found on different JSP files with unsanitized parameters in OpenMNS Horizon 31.0.8 and versions earlier than 32.0.2 on multiple platforms that an attacker can modify to craft a malicious XSS payload. The solution is to upgrade to Meridian 2023.1.6, 2022.1.19, 2021.1.30, 2020.1.38 or Horizon 32.0.2 or newer. Meridian and Horizon installation instructions state that they are intended for installation within an organization's private networks and should not be directly accessible from the Internet. OpenNMS thanks Jordi Miralles Comins for reporting this issue. | |||||
| CVE-2023-38905 | 1 Jeecg | 1 Jeecg Boot | 2023-08-23 | N/A | 5.5 MEDIUM |
| SQL injection vulnerability in Jeecg-boot v.3.5.0 and before allows a local attacker to cause a denial of service via the Benchmark, PG_Sleep, DBMS_Lock.Sleep, Waitfor, DECODE, and DBMS_PIPE.RECEIVE_MESSAGE functions. | |||||
| CVE-2023-4384 | 1 Maximatech | 1 Portal Executivo | 2023-08-23 | N/A | 5.9 MEDIUM |
| A vulnerability has been found in MaximaTech Portal Executivo 21.9.1.140 and classified as problematic. This vulnerability affects unknown code of the component Cookie Handler. The manipulation leads to missing encryption of sensitive data. The attack can be initiated remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-237316. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2023-4040 | 1 Webtoffee | 1 Stripe Payment Plugin For Woocommerce | 2023-08-23 | N/A | 5.3 MEDIUM |
| The Stripe Payment Plugin for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the eh_callback_handler function in versions up to, and including, 3.7.9. This makes it possible for unauthenticated attackers to modify the order status of arbitrary WooCommerce orders. | |||||
| CVE-2023-30875 | 1 Allmywebneeds | 1 Logo Scheduler | 2023-08-23 | N/A | 4.8 MEDIUM |
| Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in All My Web Needs Logo Scheduler plugin <= 1.2.0 versions. | |||||
| CVE-2023-31228 | 1 Cminds | 1 Cm On Demand Search And Replace | 2023-08-23 | N/A | 4.8 MEDIUM |
| Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in CreativeMindsSolutions CM On Demand Search And Replace plugin <= 1.3.0 versions. | |||||
| CVE-2023-31094 | 1 Wptrio | 1 Stock Sync For Woocommerce | 2023-08-23 | N/A | 6.1 MEDIUM |
| Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Lauri Karisola / WP Trio Stock Sync for WooCommerce plugin <= 2.4.0 versions. | |||||
| CVE-2023-20564 | 2 Amd, Microsoft | 4 Ryzen Master, Ryzen Master Monitoring Sdk, Windows 10 and 1 more | 2023-08-23 | N/A | 6.7 MEDIUM |
| Insufficient validation in the IOCTL (Input Output Control) input buffer in AMD Ryzen™ Master may permit a privileged attacker to perform memory reads/writes potentially leading to a loss of confidentiality or arbitrary kernel execution. | |||||
| CVE-2023-20560 | 2 Amd, Microsoft | 4 Ryzen Master, Ryzen Master Monitoring Sdk, Windows 10 and 1 more | 2023-08-23 | N/A | 4.4 MEDIUM |
| Insufficient validation of the IOCTL (Input Output Control) input buffer in AMD Ryzen™ Master may allow a privileged attacker to provide a null value potentially resulting in a Windows crash leading to denial of service. | |||||
| CVE-2023-4136 | 4 Apple, Craftercms, Linux and 1 more | 4 Macos, Craftercms, Linux Kernel and 1 more | 2023-08-23 | N/A | 6.1 MEDIUM |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CrafterCMS Engine on Windows, MacOS, Linux, x86, ARM, 64 bit allows Reflected XSS.This issue affects CrafterCMS: from 4.0.0 through 4.0.2, from 3.1.0 through 3.1.27. | |||||
| CVE-2023-4371 | 1 Phprecdb | 1 Phprecdb | 2023-08-23 | N/A | 6.1 MEDIUM |
| A vulnerability was found in phpRecDB 1.3.1. It has been rated as problematic. Affected by this issue is some unknown functionality of the file /index.php. The manipulation of the argument r/view leads to cross site scripting. The attack may be launched remotely. VDB-237194 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2023-29182 | 1 Fortinet | 1 Fortios | 2023-08-23 | N/A | 6.7 MEDIUM |
| A stack-based buffer overflow vulnerability [CWE-121] in Fortinet FortiOS before 7.0.3 allows a privileged attacker to execute arbitrary code via specially crafted CLI commands, provided the attacker were able to evade FortiOS stack protections. | |||||
| CVE-2023-40281 | 1 Ec-cube | 1 Ec-cube | 2023-08-23 | N/A | 4.8 MEDIUM |
| EC-CUBE 2.11.0 to 2.17.2-p1 contain a cross-site scripting vulnerability in "mail/template" and "products/product" of Management page. If this vulnerability is exploited, an arbitrary script may be executed on the web browser of the other administrator or the user who accessed the website using the product. | |||||
| CVE-2023-40216 | 1 Openbsd | 1 Openbsd | 2023-08-23 | N/A | 5.5 MEDIUM |
| OpenBSD 7.3 before errata 014 is missing an argument-count bounds check in console terminal emulation. This could cause incorrect memory access and a kernel crash after receiving crafted DCS or CSI terminal escape sequences. | |||||
| CVE-2023-20242 | 1 Cisco | 2 Unified Communications Manager, Unified Communications Manager Im And Presence Service | 2023-08-23 | N/A | 6.1 MEDIUM |
| A vulnerability in the web-based management interface of Cisco Unified Communications Manager (Unified CM), Cisco Unified CM Session Management Edition (Unified CM SME), and Cisco Unified Communications Manager IM & Presence Service (Unified CM IM&P) could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface. This vulnerability exists because the web-based management interface does not properly validate user-supplied input. An attacker could exploit this vulnerability by persuading a user of the interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. | |||||
| CVE-2023-40251 | 1 Genians | 2 Genian Nac, Genian Ztna | 2023-08-23 | N/A | 5.9 MEDIUM |
| Missing Encryption of Sensitive Data vulnerability in Genians Genian NAC V4.0, Genians Genian NAC V5.0, Genians Genian NAC Suite V5.0, Genians Genian ZTNA allows Man in the Middle Attack.This issue affects Genian NAC V4.0: from V4.0.0 through V4.0.155; Genian NAC V5.0: from V5.0.0 through V5.0.42 (Revision 117460); Genian NAC Suite V5.0: from V5.0.0 through V5.0.54; Genian ZTNA: from V6.0.0 through V6.0.15. | |||||
| CVE-2023-28690 | 1 Marcosteinbrecher | 1 Wp Browserupdate | 2023-08-23 | N/A | 4.8 MEDIUM |
| Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Marco Steinbrecher WP BrowserUpdate plugin <= 4.5 versions. | |||||
| CVE-2023-3244 | 1 Wphappycoders | 1 Comments Like Dislike | 2023-08-23 | N/A | 4.3 MEDIUM |
| The Comments Like Dislike plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the restore_settings function called via an AJAX action in versions up to, and including, 1.1.9. This makes it possible for authenticated attackers with minimal permissions, such as a subscriber, to reset the plugin's settings. NOTE: After attempting to contact the developer with no response, and reporting this to the WordPress plugin's team 30 days ago we are disclosing this issue as it still is not updated. | |||||
| CVE-2023-23908 | 3 Debian, Fedoraproject, Intel | 275 Debian Linux, Fedora, Microcode and 272 more | 2023-08-23 | N/A | 4.4 MEDIUM |
| Improper access control in some 3rd Generation Intel(R) Xeon(R) Scalable processors may allow a privileged user to potentially enable information disclosure via local access. | |||||