Search
Total
46623 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-4782 | 1 Clickfunnels | 1 Clickfunnels | 2023-08-22 | N/A | 5.4 MEDIUM |
| The ClickFunnels WordPress plugin through 3.1.1 does not validate and escape one of its shortcode attributes, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attack. | |||||
| CVE-2023-0551 | 1 Minapper | 1 Rest Api To Miniprogram | 2023-08-22 | N/A | 5.4 MEDIUM |
| The REST API TO MiniProgram WordPress plugin through 4.6.1 does not have authorisation and CSRF checks in an AJAX action, allowing ay authenticated users, such as subscriber to call and delete arbitrary attachments | |||||
| CVE-2023-2122 | 1 10web | 1 Image Optimizer | 2023-08-22 | N/A | 6.1 MEDIUM |
| The Image Optimizer by 10web WordPress plugin before 1.0.27 does not sanitise and escape the iowd_tabs_active parameter before rendering it in the plugin admin panel, leading to a reflected Cross-Site Scripting vulnerability, allowing an attacker to trick a logged in admin to execute arbitrary javascript by clicking a link. | |||||
| CVE-2023-2254 | 1 Ko-fi | 1 Ko-fi Button | 2023-08-22 | N/A | 4.8 MEDIUM |
| The Ko-fi Button WordPress plugin before 1.3.3 does not properly some of its settings, which could allow high-privilege users to perform Stored Cross-Site Scripting (XSS) attacks even when the unfiltered_html capability is disallowed (for example in multisite setup), and we consider it a low risk. | |||||
| CVE-2023-2225 | 1 Pottie | 1 Seo Alert | 2023-08-22 | N/A | 4.8 MEDIUM |
| The SEO ALert WordPress plugin through 1.59 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | |||||
| CVE-2023-2123 | 1 Wpinventory | 1 Wp Inventory Manager | 2023-08-22 | N/A | 6.1 MEDIUM |
| The WP Inventory Manager WordPress plugin before 2.1.0.13 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting. | |||||
| CVE-2023-4381 | 1 Instantcms | 1 Instantcms | 2023-08-22 | N/A | 4.3 MEDIUM |
| Unverified Password Change in GitHub repository instantsoft/icms2 prior to 2.16.1-git. | |||||
| CVE-2023-2272 | 1 Tiempo | 1 Tiempo | 2023-08-22 | N/A | 6.1 MEDIUM |
| The Tiempo.com WordPress plugin through 0.1.2 does not sanitise and escape the page parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin | |||||
| CVE-2023-2271 | 1 Tiempo | 1 Tiempo | 2023-08-22 | N/A | 4.3 MEDIUM |
| The Tiempo.com WordPress plugin through 0.1.2 does not have CSRF check when deleting its shortcode, which could allow attackers to make logged in admins delete arbitrary shortcode via a CSRF attack | |||||
| CVE-2023-3262 | 1 Dataprobe | 44 Iboot-pdu4-c20, Iboot-pdu4-c20 Firmware, Iboot-pdu4-n20 and 41 more | 2023-08-22 | N/A | 6.7 MEDIUM |
| The Dataprobe iBoot PDU running firmware version 1.43.03312023 or earlier uses hard-coded credentials for all interactions with the internal Postgres database.A malicious agent with the ability to execute operating system commands on the device can leverage this vulnerability to read, modify, or delete arbitrary database records. | |||||
| CVE-2023-4367 | 3 Debian, Fedoraproject, Google | 3 Debian Linux, Fedora, Chrome | 2023-08-22 | N/A | 6.5 MEDIUM |
| Insufficient policy enforcement in Extensions API in Google Chrome prior to 116.0.5845.96 allowed an attacker who convinced a user to install a malicious extension to bypass an enterprise policy via a crafted HTML page. (Chromium security severity: Medium) | |||||
| CVE-2023-4365 | 3 Debian, Fedoraproject, Google | 3 Debian Linux, Fedora, Chrome | 2023-08-22 | N/A | 4.3 MEDIUM |
| Inappropriate implementation in Fullscreen in Google Chrome prior to 116.0.5845.96 allowed a remote attacker to obfuscate security UI via a crafted HTML page. (Chromium security severity: Medium) | |||||
| CVE-2023-40354 | 1 Mariadb | 1 Maxscale | 2023-08-22 | N/A | 6.5 MEDIUM |
| An issue was discovered in MariaDB MaxScale before 23.02.3. A user enters an encrypted password on a "maxctrl create service" command line, but this password is then stored in cleartext in the resulting .cnf file under /var/lib/maxscale/maxscale.cnf.d. The fixed versions are 2.5.28, 6.4.9, 22.08.8, and 23.02.3. | |||||
| CVE-2023-4364 | 3 Debian, Fedoraproject, Google | 3 Debian Linux, Fedora, Chrome | 2023-08-22 | N/A | 4.3 MEDIUM |
| Inappropriate implementation in Permission Prompts in Google Chrome prior to 116.0.5845.96 allowed a remote attacker to obfuscate security UI via a crafted HTML page. (Chromium security severity: Medium) | |||||
| CVE-2023-4363 | 3 Debian, Fedoraproject, Google | 4 Debian Linux, Fedora, Android and 1 more | 2023-08-22 | N/A | 4.3 MEDIUM |
| Inappropriate implementation in WebShare in Google Chrome on Android prior to 116.0.5845.96 allowed a remote attacker to spoof the contents of a dialog URL via a crafted HTML page. (Chromium security severity: Medium) | |||||
| CVE-2020-27673 | 4 Debian, Linux, Opensuse and 1 more | 4 Debian Linux, Linux Kernel, Leap and 1 more | 2023-08-22 | 4.9 MEDIUM | 5.5 MEDIUM |
| An issue was discovered in the Linux kernel through 5.9.1, as used with Xen through 4.14.x. Guest OS users can cause a denial of service (host OS hang) via a high rate of events to dom0, aka CID-e99502f76271. | |||||
| CVE-2023-38840 | 1 Bitwarden | 1 Bitwarden | 2023-08-22 | N/A | 5.5 MEDIUM |
| Bitwarden Desktop 2023.7.0 and below allows an attacker with local access to obtain sensitive information via the Bitwarden.exe process. | |||||
| CVE-2023-38687 | 1 Mskocik | 1 Svelecte | 2023-08-22 | N/A | 5.4 MEDIUM |
| Svelecte is a flexible autocomplete/select component written in Svelte. Svelecte item names are rendered as raw HTML with no escaping. This allows the injection of arbitrary HTML into the Svelecte dropdown. This can be exploited to execute arbitrary JavaScript whenever a Svelecte dropdown is opened. Item names given to Svelecte appear to be directly rendered as HTML by the default item renderer. This means that any HTML tags in the name are rendered as HTML elements not as text. Note that the custom item renderer shown in https://mskocik.github.io/svelecte/#item-rendering is also vulnerable to the same exploit. Any site that uses Svelecte with dynamically created items either from an external source or from user-created content could be vulnerable to an XSS attack (execution of untrusted JavaScript), clickjacking or any other attack that can be performed with arbitrary HTML injection. The actual impact of this vulnerability for a specific application depends on how trustworthy the sources that provide Svelecte items are and the steps that the application has taken to mitigate XSS attacks. XSS attacks using this vulnerability are mostly mitigated by a Content Security Policy that blocks inline JavaScript. This issue has been addressed in version 3.16.3. Users are advised to upgrade. There are no known workarounds for this vulnerability. | |||||
| CVE-2023-39950 | 1 Siemens | 1 Efibootguard | 2023-08-22 | N/A | 5.2 MEDIUM |
| efibootguard is a simple UEFI boot loader with support for safely switching between current and updated partition sets. Insufficient or missing validation and sanitization of input from untrustworthy bootloader environment files can cause crashes and probably also code injections into `bg_setenv`) or programs using `libebgenv`. This is triggered when the affected components try to modify a manipulated environment, in particular its user variables. Furthermore, `bg_printenv` may crash over invalid read accesses or report invalid results. Not affected by this issue is EFI Boot Guard's bootloader EFI binary. EFI Boot Guard release v0.15 contains required patches to sanitize and validate the bootloader environment prior to processing it in userspace. Its library and tools should be updated, so should programs statically linked against it. An update of the bootloader EFI executable is not required. The only way to prevent the issue with an unpatched EFI Boot Guard version is to avoid accesses to user variables, specifically modifications to them. | |||||
| CVE-2021-28038 | 3 Debian, Linux, Netapp | 4 Debian Linux, Linux Kernel, Cloud Backup and 1 more | 2023-08-22 | 4.9 MEDIUM | 6.5 MEDIUM |
| An issue was discovered in the Linux kernel through 5.11.3, as used with Xen PV. A certain part of the netback driver lacks necessary treatment of errors such as failed memory allocations (as a result of changes to the handling of grant mapping errors). A host OS denial of service may occur during misbehavior of a networking frontend driver. NOTE: this issue exists because of an incomplete fix for CVE-2021-26931. | |||||
| CVE-2023-24478 | 1 Intel | 1 Quartus Prime | 2023-08-22 | N/A | 5.5 MEDIUM |
| Use of insufficiently random values for some Intel Agilex(R) software included as part of Intel(R) Quartus(R) Prime Pro Edition for linux before version 22.4 may allow an authenticated user to potentially enable information disclosure via local access. | |||||
| CVE-2023-32494 | 1 Dell | 1 Powerscale Onefs | 2023-08-22 | N/A | 6.7 MEDIUM |
| Dell PowerScale OneFS, 8.0.x-9.5.x, contains an improper handling of insufficient privileges vulnerability. A local privileged attacker could potentially exploit this vulnerability, leading to elevation of privilege and affect in compliance mode also. | |||||
| CVE-2023-38850 | 1 Msweet | 1 Codedoc | 2023-08-22 | N/A | 5.5 MEDIUM |
| Buffer Overflow vulnerability in Michaelrsweet codedoc v.3.7 allows an attacker to cause a denial of service via the codedoc.c:1742 comppnent. | |||||
| CVE-2023-30473 | 1 Icopydoc | 1 Yml For Yandex Market | 2023-08-22 | N/A | 6.1 MEDIUM |
| Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Maxim Glazunov YML for Yandex Market plugin <= 3.10.7 versions. | |||||
| CVE-2023-30782 | 1 Churchadminplugin | 1 Church Admin | 2023-08-22 | N/A | 6.1 MEDIUM |
| Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Andy Moyle Church Admin plugin <= 3.7.5 versions. | |||||
| CVE-2023-30785 | 1 I13websolution | 1 Video Grid | 2023-08-22 | N/A | 6.1 MEDIUM |
| Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in I Thirteen Web Solution Video Grid plugin <= 1.21 versions. | |||||
| CVE-2023-30784 | 1 Kayastudio | 1 Kaya Qr Code Generator | 2023-08-22 | N/A | 5.4 MEDIUM |
| Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in Kaya Studio Kaya QR Code Generator plugin <= 1.5.2 versions. | |||||
| CVE-2023-1110 | 1 Yellowyard | 1 Yellow Yard Searchbar | 2023-08-22 | N/A | 5.4 MEDIUM |
| The Yellow Yard Searchbar WordPress plugin before 2.8.12 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks | |||||
| CVE-2023-0274 | 1 Asandia | 1 Url Params | 2023-08-22 | N/A | 5.4 MEDIUM |
| The URL Params WordPress plugin before 2.5 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. | |||||
| CVE-2023-1465 | 1 Wpeasypay | 1 Wp Easypay | 2023-08-22 | N/A | 6.1 MEDIUM |
| The WP EasyPay WordPress plugin before 4.1 does not escape some generated URLs before outputting them back in pages, leading to Reflected Cross-Site Scripting issues which could be used against high privilege users such as admin | |||||
| CVE-2023-30778 | 1 Blubrry | 1 Powerpress | 2023-08-22 | N/A | 5.4 MEDIUM |
| Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in Blubrry PowerPress Podcasting plugin by Blubrry plugin <= 10.0.1 versions. | |||||
| CVE-2023-32003 | 2 Fedoraproject, Nodejs | 2 Fedora, Node.js | 2023-08-22 | N/A | 5.3 MEDIUM |
| `fs.mkdtemp()` and `fs.mkdtempSync()` can be used to bypass the permission model check using a path traversal attack. This flaw arises from a missing check in the fs.mkdtemp() API and the impact is a malicious actor could create an arbitrary directory. This vulnerability affects all users using the experimental permission model in Node.js 20. Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js. | |||||
| CVE-2023-30747 | 1 Wpgem | 1 Woocommerce Easy Duplicate Product | 2023-08-22 | N/A | 6.1 MEDIUM |
| Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in WPGem WooCommerce Easy Duplicate Product plugin <= 0.3.0.0 versions. | |||||
| CVE-2023-30498 | 1 Codeflavors | 1 Vimeotheque | 2023-08-22 | N/A | 6.1 MEDIUM |
| Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in CodeFlavors Vimeotheque: Vimeo WordPress Plugin <= 2.2.1 versions. | |||||
| CVE-2023-4347 | 1 Librenms | 1 Librenms | 2023-08-22 | N/A | 5.4 MEDIUM |
| Cross-site Scripting (XSS) - Reflected in GitHub repository librenms/librenms prior to 23.8.0. | |||||
| CVE-2023-23208 | 3 Genesys, Linux, Microsoft | 3 Administrator Extension, Linux Kernel, Windows | 2023-08-22 | N/A | 6.1 MEDIUM |
| Genesys Administrator Extension (GAX) before 9.0.105.15 is vulnerable to Cross Site Scripting (XSS) via the Business Structure page of the iWD plugin, aka GAX-11261. | |||||
| CVE-2023-4422 | 1 Agentejo | 1 Cockpit | 2023-08-22 | N/A | 4.8 MEDIUM |
| Cross-site Scripting (XSS) - Stored in GitHub repository cockpit-hq/cockpit prior to 2.6.3. | |||||
| CVE-2023-38911 | 1 Cszcms | 1 Csz Cms | 2023-08-22 | N/A | 5.4 MEDIUM |
| A Cross-Site Scripting (XSS) vulnerability in CSZ CMS 1.3.0 allows attackers to execute arbitrary code via a crafted payload to the Gallery parameter in the YouTube URL fields. | |||||
| CVE-2023-38910 | 1 Cszcms | 1 Csz Cms | 2023-08-22 | N/A | 6.1 MEDIUM |
| CSZ CMS 1.3.0 is vulnerable to cross-site scripting (XSS), which allows attackers to execute arbitrary web scripts or HTML via a crafted payload entered in the 'Carousel Wiget' section and choosing our carousel widget created above, in 'Photo URL' and 'YouTube URL' plugin. | |||||
| CVE-2023-31079 | 1 Thechrisroberts | 1 Tippy | 2023-08-22 | N/A | 5.4 MEDIUM |
| Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in Chris Roberts Tippy plugin <= 6.2.1 versions. | |||||
| CVE-2023-28783 | 1 Phpradar | 1 Woocommerce Tip\/donation | 2023-08-22 | N/A | 5.4 MEDIUM |
| Auth. (shop manager+) Stored Cross-Site Scripting (XSS) vulnerability in PHPRADAR Woocommerce Tip/Donation plugin <= 1.2 versions. | |||||
| CVE-2023-28693 | 1 Balasahebbhise | 1 Advanced Youtube Channel Pagination | 2023-08-22 | N/A | 6.1 MEDIUM |
| Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Balasaheb Bhise Advanced Youtube Channel Pagination plugin <= 1.0 version. | |||||
| CVE-2023-31091 | 1 Pradeepsinghweb | 1 Dynamically Register Sidebars | 2023-08-22 | N/A | 4.8 MEDIUM |
| Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Pradeep Singh Dynamically Register Sidebars plugin <= 1.0.1 versions. | |||||
| CVE-2023-31074 | 1 Hupe13 | 1 Extensions For Leaflet Map | 2023-08-22 | N/A | 6.1 MEDIUM |
| Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in hupe13 Extensions for Leaflet Map plugin <= 3.4.1 versions. | |||||
| CVE-2023-26530 | 1 Updraftplus | 1 Updraft | 2023-08-22 | N/A | 6.1 MEDIUM |
| Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Paul Kehrer Updraft plugin <= 0.6.1 versions. | |||||
| CVE-2023-31076 | 1 Really-simple-plugins | 1 Recipe Maker For Your Food Blog From Zip Recipes | 2023-08-22 | N/A | 6.1 MEDIUM |
| Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Really Simple Plugins Recipe Maker For Your Food Blog from Zip Recipes plugin <= 8.0.6 versions. | |||||
| CVE-2023-31071 | 1 Ylefebvre | 1 Modal Dialog | 2023-08-22 | N/A | 6.1 MEDIUM |
| Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Yannick Lefebvre Modal Dialog plugin <= 3.5.14 versions. | |||||
| CVE-2023-30877 | 1 Icopydoc | 1 Xml For Google Merchant Center | 2023-08-22 | N/A | 6.1 MEDIUM |
| Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Maxim Glazunov XML for Google Merchant Center plugin <= 3.0.1 versions. | |||||
| CVE-2023-30876 | 1 Davidmichaelross | 1 Dave\'s Wordpress Live Search | 2023-08-22 | N/A | 4.8 MEDIUM |
| Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Dave Ross Dave's WordPress Live Search plugin <= 4.8.1 versions. | |||||
| CVE-2023-30874 | 1 Stpetedesign | 1 Gps Plotter | 2023-08-22 | N/A | 4.8 MEDIUM |
| Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Steve Curtis, St. Pete Design Gps Plotter plugin <= 5.1.4 versions. | |||||