Search
Total
86024 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-22494 | 2024-01-12 | N/A | N/A | ||
| A stored XSS vulnerability exists in JFinalcms 5.0.0 via the /gusetbook/save mobile parameter, which allows remote attackers to inject arbitrary web script or HTML. | |||||
| CVE-2024-22493 | 2024-01-12 | N/A | N/A | ||
| A stored XSS vulnerability exists in JFinalcms 5.0.0 via the /gusetbook/save content parameter, which allows remote attackers to inject arbitrary web script or HTML. | |||||
| CVE-2024-22492 | 2024-01-12 | N/A | N/A | ||
| A stored XSS vulnerability exists in JFinalcms 5.0.0 via the /gusetbook/save contact parameter, which allows remote attackers to inject arbitrary web script or HTML. | |||||
| CVE-2024-0460 | 2024-01-12 | N/A | N/A | ||
| A vulnerability was found in code-projects Faculty Management System 1.0 and classified as critical. This issue affects some unknown processing of the file /admin/pages/student-print.php. The manipulation leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-250565 was assigned to this vulnerability. | |||||
| CVE-2024-0459 | 2024-01-12 | N/A | N/A | ||
| A vulnerability has been found in Blood Bank & Donor Management 5.6 and classified as critical. This vulnerability affects unknown code of the file /admin/request-received-bydonar.php. The manipulation leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-250564. | |||||
| CVE-2023-51978 | 2024-01-12 | N/A | N/A | ||
| In PHPGurukul Art Gallery Management System v1.1, "Update Artist Image" functionality of "imageid" parameter is vulnerable to SQL Injection. | |||||
| CVE-2023-28898 | 2024-01-12 | N/A | N/A | ||
| The Real-Time Streaming Protocol implementation in the MIB3 infotainment incorrectly handles requests to /logs URI, when the id parameter equals to zero. This issue allows an attacker connected to the in-vehicle Wi-Fi network to cause denial-of-service of the infotainment system, when the certain preconditions are met. Vulnerability discovered on Škoda Superb III (3V3) - 2.0 TDI manufactured in 2022. | |||||
| CVE-2023-28897 | 2024-01-12 | N/A | N/A | ||
| The secret value used for access to critical UDS services of the MIB3 infotainment is hardcoded in the firmware. Vulnerability discovered on Škoda Superb III (3V3) - 2.0 TDI manufactured in 2022. | |||||
| CVE-2023-51949 | 2024-01-12 | N/A | N/A | ||
| Verydows v2.0 was discovered to contain a Cross-Site Request Forgery (CSRF) via the component /protected/controller/backend/role_controller | |||||
| CVE-2023-49262 | 2024-01-12 | N/A | N/A | ||
| The authentication mechanism can be bypassed by overflowing the value of the Cookie "authentication" field, provided there is an active user session. | |||||
| CVE-2023-49261 | 2024-01-12 | N/A | N/A | ||
| The "tokenKey" value used in user authorization is visible in the HTML source of the login page. | |||||
| CVE-2023-49260 | 2024-01-12 | N/A | N/A | ||
| An XSS attack can be performed by changing the MOTD banner and pointing the victim to the "terminal_tool.cgi" path. It can be used together with the vulnerability CVE-2023-49255. | |||||
| CVE-2023-49259 | 2024-01-12 | N/A | N/A | ||
| The authentication cookies are generated using an algorithm based on the username, hardcoded secret and the up-time, and can be guessed in a reasonable time. | |||||
| CVE-2023-49258 | 2024-01-12 | N/A | N/A | ||
| User browser may be forced to execute JavaScript and pass the authentication cookie to the attacker leveraging the XSS vulnerability located at "/gui/terminal_tool.cgi" in the "data" parameter. | |||||
| CVE-2023-49257 | 2024-01-12 | N/A | N/A | ||
| An authenticated user is able to upload an arbitrary CGI-compatible file using the certificate upload utility and execute it with the root user privileges. | |||||
| CVE-2023-49256 | 2024-01-12 | N/A | N/A | ||
| It is possible to download the configuration backup without authorization and decrypt included passwords using hardcoded static key. | |||||
| CVE-2023-49255 | 2024-01-12 | N/A | N/A | ||
| The router console is accessible without authentication at "data" field, and while a user needs to be logged in in order to modify the configuration, the session state is shared. If any other user is currently logged in, the anonymous user can execute commands in the context of the authenticated one. If the logged in user has administrative privileges, it is possible to use webadmin service configuration commands to create a new admin user with a chosen password. | |||||
| CVE-2023-49254 | 2024-01-12 | N/A | N/A | ||
| Authenticated user can execute arbitrary commands in the context of the root user by providing payload in the "destination" field of the network test tools. This is similar to the vulnerability CVE-2021-28151 mitigated on the user interface level by blacklisting characters with JavaScript, however, it can still be exploited by sending POST requests directly. | |||||
| CVE-2023-49253 | 2024-01-12 | N/A | N/A | ||
| Root user password is hardcoded into the device and cannot be changed in the user interface. | |||||
| CVE-2023-7028 | 2024-01-12 | N/A | N/A | ||
| An issue has been discovered in GitLab CE/EE affecting all versions from 16.1 prior to 16.1.6, 16.2 prior to 16.2.9, 16.3 prior to 16.3.7, 16.4 prior to 16.4.5, 16.5 prior to 16.5.6, 16.6 prior to 16.6.4, and 16.7 prior to 16.7.2 in which user account password reset emails could be delivered to an unverified email address. | |||||
| CVE-2023-6955 | 2024-01-12 | N/A | N/A | ||
| An improper access control vulnerability exists in GitLab Remote Development affecting all versions prior to 16.5.6, 16.6 prior to 16.6.4 and 16.7 prior to 16.7.2. This condition allows an attacker to create a workspace in one group that is associated with an agent from another group. | |||||
| CVE-2023-5356 | 2024-01-12 | N/A | N/A | ||
| Incorrect authorization checks in GitLab CE/EE from all versions starting from 8.13 before 16.5.6, all versions starting from 16.6 before 16.6.4, all versions starting from 16.7 before 16.7.2, allows a user to abuse slack/mattermost integrations to execute slash commands as another user. | |||||
| CVE-2023-4812 | 2024-01-12 | N/A | N/A | ||
| An issue has been discovered in GitLab EE affecting all versions starting from 15.3 before 16.5.6, all versions starting from 16.6 before 16.6.4, all versions starting from 16.7 before 16.7.2. The required CODEOWNERS approval could be bypassed by adding changes to a previously approved merge request. | |||||
| CVE-2023-2030 | 2024-01-12 | N/A | N/A | ||
| An issue has been discovered in GitLab CE/EE affecting all versions from 12.2 prior to 16.5.6, 16.6 prior to 16.6.4, and 16.7 prior to 16.7.2 in which an attacker could potentially modify the metadata of signed commits. | |||||
| CVE-2023-0437 | 2024-01-12 | N/A | N/A | ||
| When calling bson_utf8_validate on some inputs a loop with an exit condition that cannot be reached may occur, i.e. an infinite loop. This issue affects All MongoDB C Driver versions prior to versions 1.25.0. | |||||
| CVE-2023-6740 | 2024-01-12 | N/A | N/A | ||
| Privilege escalation in jar_signature agent plugin in Checkmk before 2.2.0p18, 2.1.0p38 and 2.0.0p39 allows local user to escalate privileges | |||||
| CVE-2023-6735 | 2024-01-12 | N/A | N/A | ||
| Privilege escalation in mk_tsm agent plugin in Checkmk before 2.2.0p18, 2.1.0p38 and 2.0.0p39 allows local user to escalate privileges | |||||
| CVE-2023-31211 | 2024-01-12 | N/A | N/A | ||
| Insufficient authentication flow in Checkmk before 2.2.0p18, 2.1.0p38 and 2.0.0p39 allows attacker to use locked credentials | |||||
| CVE-2023-52026 | 2024-01-12 | N/A | N/A | ||
| TOTOlink EX1800T V9.1.0cu.2112_B20220316 was discovered to contain a remote command execution (RCE) vulnerability via the telnet_enabled parameter of the setTelnetCfg interface | |||||
| CVE-2023-51806 | 2024-01-12 | N/A | N/A | ||
| File Upload vulnerability in Ujcms v.8.0.2 allows a local attacker to execute arbitrary code via a crafted file. | |||||
| CVE-2023-51790 | 2024-01-12 | N/A | N/A | ||
| Cross Site Scripting vulnerability in piwigo v.14.0.0 allows a remote attacker to obtain sensitive information via the lang parameter in the Admin Tools plug-in component. | |||||
| CVE-2023-49569 | 2024-01-12 | N/A | N/A | ||
| A path traversal vulnerability was discovered in go-git versions prior to v5.11. This vulnerability allows an attacker to create and amend files across the filesystem. In the worse case scenario, remote code execution could be achieved. Applications are only affected if they are using the ChrootOS https://pkg.go.dev/github.com/go-git/go-billy/v5/osfs#ChrootOS , which is the default when using "Plain" versions of Open and Clone funcs (e.g. PlainClone). Applications using BoundOS https://pkg.go.dev/github.com/go-git/go-billy/v5/osfs#BoundOS or in-memory filesystems are not affected by this issue. This is a go-git implementation issue and does not affect the upstream git cli. | |||||
| CVE-2023-49568 | 2024-01-12 | N/A | N/A | ||
| A denial of service (DoS) vulnerability was discovered in go-git versions prior to v5.11. This vulnerability allows an attacker to perform denial of service attacks by providing specially crafted responses from a Git server which triggers resource exhaustion in go-git clients. Applications using only the in-memory filesystem supported by go-git are not affected by this vulnerability. This is a go-git implementation issue and does not affect the upstream git cli. | |||||
| CVE-2023-48909 | 2024-01-12 | N/A | N/A | ||
| An issue was discovered in Jave2 version 3.3.1, allows attackers to execute arbitrary code via the FFmpeg function. | |||||
| CVE-2023-30016 | 2024-01-12 | N/A | N/A | ||
| SQL Injection vulnerability in oretnom23 Judging Management System v1.0, allows remote attackers to execute arbitrary code and obtain sensitive information via sub_event_id parameter in sub_event_details_edit.php. | |||||
| CVE-2023-30015 | 2024-01-12 | N/A | N/A | ||
| SQL Injection vulnerability in oretnom23 Judging Management System v1.0, allows remote attackers to execute arbitrary code and obtain sensitive information via txtsearch parameter in review_search.php. | |||||
| CVE-2023-30014 | 2024-01-12 | N/A | N/A | ||
| SQL Injection vulnerability in oretnom23 Judging Management System v1.0, allows remote attackers to execute arbitrary code and obtain sensitive information via sub_event_id parameter in sub_event_stat_update.php. | |||||
| CVE-2023-50920 | 2024-01-12 | N/A | N/A | ||
| An issue was discovered on GL.iNet devices before version 4.5.0. They assign the same session ID after each user reboot, allowing attackers to share session identifiers between different sessions and bypass authentication or access control measures. Attackers can impersonate legitimate users or perform unauthorized actions. This affects A1300 4.4.6, AX1800 4.4.6, AXT1800 4.4.6, MT3000 4.4.6, MT2500 4.4.6, MT6000 4.5.0, MT1300 4.3.7, MT300N-V2 4.3.7, AR750S 4.3.7, AR750 4.3.7, AR300M 4.3.7, and B1300 4.3.7. | |||||
| CVE-2023-50919 | 2024-01-12 | N/A | N/A | ||
| An issue was discovered on GL.iNet devices before version 4.5.0. There is an NGINX authentication bypass via Lua string pattern matching. This affects A1300 4.4.6, AX1800 4.4.6, AXT1800 4.4.6, MT3000 4.4.6, MT2500 4.4.6, MT6000 4.5.0, MT1300 4.3.7, MT300N-V2 4.3.7, AR750S 4.3.7, AR750 4.3.7, AR300M 4.3.7, and B1300 4.3.7. | |||||
| CVE-2023-40362 | 2024-01-12 | N/A | N/A | ||
| An issue was discovered in CentralSquare Click2Gov Building Permit before October 2023. Lack of access control protections allows remote attackers to arbitrarily delete the contractors from any user's account when the user ID and contractor information is known. | |||||
| CVE-2024-22027 | 2024-01-12 | N/A | N/A | ||
| Improper input validation vulnerability in WordPress Quiz Maker Plugin prior to 6.5.0.6 allows a remote authenticated attacker to perform a Denial of Service (DoS) attack against external services. | |||||
| CVE-2023-37117 | 2024-01-12 | N/A | N/A | ||
| A heap-use-after-free vulnerability was found in live555 version 2023.05.10 while handling the SETUP. | |||||
| CVE-2023-34061 | 2024-01-12 | N/A | N/A | ||
| Cloud Foundry routing release versions from v0.163.0 to v0.283.0 are vulnerable to a DOS attack. An unauthenticated attacker can use this vulnerability to force route pruning and therefore degrade the service availability of the Cloud Foundry deployment. | |||||
| CVE-2024-23179 | 2024-01-12 | N/A | N/A | ||
| An issue was discovered in the GlobalBlocking extension in MediaWiki before 1.40.2. For a Special:GlobalBlock?uselang=x-xss URI, i18n-based XSS can occur via the parentheses message. This affects subtitle links in buildSubtitleLinks. | |||||
| CVE-2024-23178 | 2024-01-12 | N/A | N/A | ||
| An issue was discovered in the Phonos extension in MediaWiki before 1.40.2. PhonosButton.js allows i18n-based XSS via the phonos-purge-needed-error message. | |||||
| CVE-2024-23177 | 2024-01-12 | N/A | N/A | ||
| An issue was discovered in the WatchAnalytics extension in MediaWiki before 1.40.2. XSS can occur via the Special:PageStatistics page parameter. | |||||
| CVE-2024-23174 | 2024-01-12 | N/A | N/A | ||
| An issue was discovered in the PageTriage extension in MediaWiki before 1.35.14, 1.36.x through 1.39.x before 1.39.6, and 1.40.x before 1.40.2. XSS can occur via the rev-deleted-user, pagetriage-tags-quickfilter-label, pagetriage-triage, pagetriage-filter-date-range-format-placeholder, pagetriage-filter-date-range-to, pagetriage-filter-date-range-from, pagetriage-filter-date-range-heading, pagetriage-filter-set-button, or pagetriage-filter-reset-button message. | |||||
| CVE-2024-23173 | 2024-01-12 | N/A | N/A | ||
| An issue was discovered in the Cargo extension in MediaWiki before 1.35.14, 1.36.x through 1.39.x before 1.39.6, and 1.40.x before 1.40.2. The Special:Drilldown page allows XSS via artist, album, and position parameters because of applied filter values in drilldown/CargoAppliedFilter.php. | |||||
| CVE-2024-23172 | 2024-01-12 | N/A | N/A | ||
| An issue was discovered in the CheckUser extension in MediaWiki before 1.35.14, 1.36.x through 1.39.x before 1.39.6, and 1.40.x before 1.40.2. XSS can occur via message definitions. e.g., in SpecialCheckUserLog. | |||||
| CVE-2024-23171 | 2024-01-12 | N/A | N/A | ||
| An issue was discovered in the CampaignEvents extension in MediaWiki before 1.35.14, 1.36.x through 1.39.x before 1.39.6, and 1.40.x before 1.40.2. The Special:EventDetails page allows XSS via the x-xss language setting for internationalization (i18n). | |||||