Search
Total
46623 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-28622 | 1 Tridenttechnolabs | 1 Easy Slider Revolution | 2023-08-22 | N/A | 5.4 MEDIUM |
| Auth. (author+) Stored Cross-Site Scripting (XSS) vulnerability in Trident Technolabs Easy Slider Revolution plugin <= 1.0.0 versions. | |||||
| CVE-2023-28533 | 1 Nimbus | 1 Cab Grid | 2023-08-22 | N/A | 4.8 MEDIUM |
| Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in M Williams Cab Grid plugin <= 1.5.15 versions. | |||||
| CVE-2023-4395 | 1 Agentejo | 1 Cockpit | 2023-08-22 | N/A | 5.4 MEDIUM |
| Cross-site Scripting (XSS) - Stored in GitHub repository cockpit-hq/cockpit prior to 2.6.4. | |||||
| CVE-2023-4293 | 1 Wpdownloadmanager | 1 Premium Packages - Sell Digital Products Securely | 2023-08-22 | N/A | 6.5 MEDIUM |
| The Premium Packages - Sell Digital Products Securely plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 5.7.4 due to insufficient restriction on the 'wpdmpp_update_profile' function. This makes it possible for authenticated attackers, with minimal permissions such as a subscriber, to modify their user role by supplying the 'profile[role]' parameter during a profile update. | |||||
| CVE-2023-21292 | 1 Google | 1 Android | 2023-08-21 | N/A | 5.5 MEDIUM |
| In openContentUri of ActivityManagerService.java, there is a possible way for a third party app to obtain restricted files due to a confused deputy. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. | |||||
| CVE-2023-21290 | 1 Google | 1 Android | 2023-08-21 | N/A | 5.5 MEDIUM |
| In update of MmsProvider.java, there is a possible way to bypass file permission checks due to a race condition. This could lead to local denial of service with no additional execution privileges needed. User interaction is not needed for exploitation. | |||||
| CVE-2023-21289 | 1 Google | 1 Android | 2023-08-21 | N/A | 5.5 MEDIUM |
| In multiple locations, there is a possible bypass of a multi user security boundary due to a confused deputy. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. | |||||
| CVE-2023-4330 | 1 Broadcom | 1 Raid Controller Web Interface | 2023-08-21 | N/A | 6.5 MEDIUM |
| Broadcom RAID Controller web interface is vulnerable Denial of Service can be caused by an authenticated user to the REST API Interface | |||||
| CVE-2023-4328 | 2 Broadcom, Linux | 2 Raid Controller Web Interface, Linux Kernel | 2023-08-21 | N/A | 5.5 MEDIUM |
| Broadcom RAID Controller web interface is vulnerable to exposure of sensitive data and the keys used for encryption are accessible to any local user on Linux | |||||
| CVE-2023-4327 | 2 Broadcom, Linux | 2 Raid Controller Web Interface, Linux Kernel | 2023-08-21 | N/A | 5.5 MEDIUM |
| Broadcom RAID Controller web interface is vulnerable to exposure of sensitive data and the keys used for encryption are accessible to any local user on Linux | |||||
| CVE-2023-4333 | 2 Broadcom, Microsoft | 2 Raid Controller Web Interface, Windows | 2023-08-21 | N/A | 5.5 MEDIUM |
| Broadcom RAID Controller web interface is vulnerable to exposure of sensitive data and the keys used for encryption are accessible to any local user on Windows | |||||
| CVE-2023-40293 | 1 Samsung | 1 Harman Infotainment | 2023-08-21 | N/A | 6.8 MEDIUM |
| Harman Infotainment 20190525031613 and later allows command injection via unauthenticated RPC with a D-Bus connection object. | |||||
| CVE-2023-40292 | 1 Samsung | 1 Harman Infotainment | 2023-08-21 | N/A | 4.3 MEDIUM |
| Harman Infotainment 20190525031613 and later discloses the IP address via CarPlay CTRL packets. | |||||
| CVE-2023-21288 | 1 Google | 1 Android | 2023-08-21 | N/A | 5.5 MEDIUM |
| In visitUris of Notification.java, there is a possible way to reveal images across users due to a missing permission check. This could lead to local information disclosure with User execution privileges needed. User interaction is not needed for exploitation. | |||||
| CVE-2023-40291 | 1 Samsung | 1 Harman Infotainment | 2023-08-21 | N/A | 6.8 MEDIUM |
| Harman Infotainment 20190525031613 allows root access via SSH over a USB-to-Ethernet dongle with a password that is an internal project name. | |||||
| CVE-2023-40024 | 1 Nexb | 1 Scancode.io | 2023-08-21 | N/A | 6.1 MEDIUM |
| ScanCode.io is a server to script and automate software composition analysis pipelines. In the `/license/` endpoint, the detailed view key is not properly validated and sanitized, which can result in a potential cross-site scripting (XSS) vulnerability when attempting to access a detailed license view that does not exist. Attackers can exploit this vulnerability to inject malicious scripts into the response generated by the `license_details_view` function. When unsuspecting users visit the page, their browsers will execute the injected scripts, leading to unauthorized actions, session hijacking, or stealing sensitive information. This issue has been addressed in release `32.5.2`. Users are advised to upgrade. There are no known workarounds for this vulnerability. | |||||
| CVE-2023-4361 | 3 Debian, Fedoraproject, Google | 4 Debian Linux, Fedora, Android and 1 more | 2023-08-21 | N/A | 5.3 MEDIUM |
| Inappropriate implementation in Autofill in Google Chrome on Android prior to 116.0.5845.96 allowed a remote attacker to bypass Autofill restrictions via a crafted HTML page. (Chromium security severity: Medium) | |||||
| CVE-2023-4308 | 1 Plugin-planet | 1 User Submitted Posts | 2023-08-21 | N/A | 5.4 MEDIUM |
| The User Submitted Posts plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘user-submitted-content’ parameter in versions up to, and including, 20230809 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2023-3721 | 1 Lesterchan | 1 Wp-email | 2023-08-21 | N/A | 4.8 MEDIUM |
| The WP-EMail WordPress plugin before 2.69.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) | |||||
| CVE-2023-2916 | 1 Revmakx | 1 Infinitewp Client | 2023-08-21 | N/A | 5.3 MEDIUM |
| The InfiniteWP Client plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 1.11.1 via the 'admin_notice' function. This can allow authenticated attackers with subscriber-level permissions or above to extract sensitive data including configuration. It can only be exploited if the plugin has not been configured yet. If combined with another arbitrary plugin installation and activation vulnerability, it may be possible to connect a site to InfiniteWP which would make remote management possible and allow for elevation of privileges. | |||||
| CVE-2022-4953 | 1 Elementor | 1 Website Builder | 2023-08-21 | N/A | 6.1 MEDIUM |
| The Elementor Website Builder WordPress plugin before 3.5.5 does not filter out user-controlled URLs from being loaded into the DOM. This could be used to inject rogue iframes that point to malicious URLs. | |||||
| CVE-2021-29057 | 1 Thoughtworks | 1 Node-worker-threads-pool | 2023-08-21 | N/A | 6.5 MEDIUM |
| An issue was discovered in StaticPool in SUCHMOKUO node-worker-threads-pool version 1.4.3, allows attackers to cause a denial of service. | |||||
| CVE-2023-4350 | 3 Debian, Fedoraproject, Google | 4 Debian Linux, Fedora, Android and 1 more | 2023-08-21 | N/A | 6.5 MEDIUM |
| Inappropriate implementation in Fullscreen in Google Chrome on Android prior to 116.0.5845.96 allowed a remote attacker to potentially spoof the contents of the Omnibox (URL bar) via a crafted HTML page. (Chromium security severity: High) | |||||
| CVE-2023-40294 | 1 0branch | 1 Boron | 2023-08-21 | N/A | 6.5 MEDIUM |
| libboron in Boron 2.0.8 has a heap-based buffer overflow in ur_parseBlockI at i_parse_blk.c. | |||||
| CVE-2023-28482 | 1 Tigergraph | 1 Tigergraph | 2023-08-21 | N/A | 6.5 MEDIUM |
| An issue was discovered in Tigergraph Enterprise 3.7.0. A single TigerGraph instance can host multiple graphs that are accessed by multiple different users. The TigerGraph platform does not protect the confidentiality of any data uploaded to the remote server. In this scenario, any user that has permissions to upload data can browse data uploaded by any other user (irrespective of their permissions). | |||||
| CVE-2023-26961 | 1 Alteryx | 1 Alteryx Server | 2023-08-21 | N/A | 4.8 MEDIUM |
| Alteryx Server 2022.1.1.42590 does not employ file type verification for uploaded files. This vulnerability allows attackers to upload arbitrary files (e.g., JavaScript content for stored XSS) via the type field in a JSON document within a PUT /gallery/api/media request. | |||||
| CVE-2023-28714 | 2 Intel, Microsoft | 2 Proset\/wireless Wifi, Windows | 2023-08-21 | N/A | 6.7 MEDIUM |
| Improper access control in firmware for some Intel(R) PROSet/Wireless WiFi software for Windows before version 22.220 HF (Hot Fix) may allow a privileged user to potentially enable escalation of privilege via local access. | |||||
| CVE-2023-28773 | 1 Kolja-nolte | 1 Secondary Title | 2023-08-21 | N/A | 5.4 MEDIUM |
| Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in Kolja Nolte Secondary Title plugin <= 2.0.9.1 versions. | |||||
| CVE-2023-28938 | 1 Mdadm Project | 1 Mdadm | 2023-08-21 | N/A | 4.4 MEDIUM |
| Uncontrolled resource consumption in some Intel(R) SSD Tools software before version mdadm-4.2-rc2 may allow a priviledged user to potentially enable denial of service via local access. | |||||
| CVE-2023-28736 | 1 Mdadm Project | 1 Mdadm | 2023-08-21 | N/A | 6.7 MEDIUM |
| Buffer overflow in some Intel(R) SSD Tools software before version mdadm-4.2-rc2 may allow a privileged user to potentially enable escalation of privilege via local access. | |||||
| CVE-2023-21277 | 1 Google | 1 Android | 2023-08-21 | N/A | 5.5 MEDIUM |
| In visitUris of RemoteViews.java, there is a possible way to reveal images across users due to a missing permission check. This could lead to local information disclosure with User execution privileges needed. User interaction is not needed for exploitation. | |||||
| CVE-2023-21276 | 1 Google | 1 Android | 2023-08-21 | N/A | 5.5 MEDIUM |
| In writeToParcel of CursorWindow.cpp, there is a possible information disclosure due to uninitialized data. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. | |||||
| CVE-2023-21274 | 1 Google | 1 Android | 2023-08-21 | N/A | 5.5 MEDIUM |
| In convertSubgraphFromHAL of ShimConverter.cpp, there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. | |||||
| CVE-2023-21280 | 1 Google | 1 Android | 2023-08-21 | N/A | 5.5 MEDIUM |
| In setMediaButtonBroadcastReceiver of MediaSessionRecord.java, there is a possible permanent DoS due to resource exhaustion. This could lead to local denial of service with no additional execution privileges needed. User interaction is not needed for exploitation. | |||||
| CVE-2023-21279 | 1 Google | 1 Android | 2023-08-21 | N/A | 5.5 MEDIUM |
| In visitUris of RemoteViews.java, there is a possible cross-user media read due to a confused deputy. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. | |||||
| CVE-2023-21284 | 1 Google | 1 Android | 2023-08-21 | N/A | 5.5 MEDIUM |
| In multiple functions of DevicePolicyManager.java, there is a possible way to prevent enabling the Find my Device feature due to improper input validation. This could lead to local denial of service with User execution privileges needed. User interaction is not needed for exploitation. | |||||
| CVE-2023-21283 | 1 Google | 1 Android | 2023-08-21 | N/A | 5.5 MEDIUM |
| In multiple functions of StatusHints.java, there is a possible way to reveal images across users due to a confused deputy. This could lead to local information disclosure with no additional execution privileges needed. User interaction is needed for exploitation. | |||||
| CVE-2023-21285 | 1 Google | 1 Android | 2023-08-21 | N/A | 5.5 MEDIUM |
| In setMetadata of MediaSessionRecord.java, there is a possible way to view another user's images due to a confused deputy. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. | |||||
| CVE-2023-3328 | 1 Custom Field For Wp Job Manager Project | 1 Custom Field For Wp Job Manager | 2023-08-21 | N/A | 4.8 MEDIUM |
| The Custom Field For WP Job Manager WordPress plugin before 1.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) | |||||
| CVE-2023-2803 | 1 Themefic | 1 Ultimate Addons For Contact Form 7 | 2023-08-21 | N/A | 6.1 MEDIUM |
| The Ultimate Addons for Contact Form 7 WordPress plugin before 3.1.29 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin. | |||||
| CVE-2023-28768 | 1 Zyxel | 22 Xgs2220-30, Xgs2220-30 Firmware, Xgs2220-30f and 19 more | 2023-08-21 | N/A | 6.5 MEDIUM |
| Improper frame handling in the Zyxel XGS2220-30 firmware version V4.80(ABXN.1), XMG1930-30 firmware version V4.80(ACAR.1), and XS1930-10 firmware version V4.80(ABQE.1) could allow an unauthenticated LAN-based attacker to cause denial-of-service (DoS) conditions by sending crafted frames to an affected switch. | |||||
| CVE-2023-3645 | 1 Bitapps | 1 Contact Form Builder | 2023-08-21 | N/A | 4.8 MEDIUM |
| The Contact Form Builder by Bit Form WordPress plugin before 2.2.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) | |||||
| CVE-2023-3601 | 1 Webfactoryltd | 1 Simple Author Box | 2023-08-21 | N/A | 4.3 MEDIUM |
| The Simple Author Box WordPress plugin before 2.52 does not verify a user ID before outputting information about that user, leading to arbitrary user information disclosure to users with a role as low as Contributor. | |||||
| CVE-2021-28025 | 1 Qt | 1 Qt | 2023-08-21 | N/A | 5.5 MEDIUM |
| Integer Overflow vulnerability in qsvghandler.cpp in Qt qtsvg versions 5.15.1, 6.0.0, 6.0.2, and 6.2, allows local attackers to cause a denial of service (DoS). | |||||
| CVE-2023-40235 | 1 Opengroup | 1 Archi | 2023-08-21 | N/A | 6.5 MEDIUM |
| An NTLM Hash Disclosure was discovered in ArchiMate Archi before 5.1.0. When parsing the XMLNS value of an ArchiMate project file, if the namespace does not match the expected ArchiMate URL, the parser will access the provided resource. If the provided resource is a UNC path pointing to a share server that does not accept a guest account, the host will try to authenticate on the share by using the current user's session. NOTE: this issue occurs because Archi uses an unsafe configuration of the Eclipse Modeling Framework. | |||||
| CVE-2022-41984 | 1 Intel | 4 Arc A750, Arc A750 Firmware, Arc A770 and 1 more | 2023-08-21 | N/A | 4.4 MEDIUM |
| Protection mechanism failure for some Intel(R) Arc(TM) graphics cards A770 and A750 sold between October of 2022 and December of 2022 may allow a privileged user to potentially enable denial of service via local access. | |||||
| CVE-2023-22276 | 1 Intel | 6 Ethernet Network Controller E810-cam1, Ethernet Network Controller E810-cam1 Firmware, Ethernet Network Controller E810-cam2 and 3 more | 2023-08-21 | N/A | 4.7 MEDIUM |
| Race condition in firmware for some Intel(R) Ethernet Controllers and Adapters E810 Series before version 1.7.2.4 may allow an authenticated user to potentially enable denial of service via local access. | |||||
| CVE-2023-2802 | 1 Themefic | 1 Ultimate Addons For Contact Form 7 | 2023-08-21 | N/A | 4.8 MEDIUM |
| The Ultimate Addons for Contact Form 7 WordPress plugin before 3.1.29 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) | |||||
| CVE-2023-2606 | 1 Brutalplugins | 1 Wp Brutal Ai | 2023-08-21 | N/A | 4.8 MEDIUM |
| The WP Brutal AI WordPress plugin before 2.06 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | |||||
| CVE-2023-20593 | 3 Amd, Debian, Xen | 140 Athlon Gold 7220u, Athlon Gold 7220u Firmware, Epyc 7232p and 137 more | 2023-08-21 | N/A | 5.5 MEDIUM |
| An issue in “Zen 2” CPUs, under specific microarchitectural circumstances, may allow an attacker to potentially access sensitive information. | |||||