Search
Total
201818 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-4972 | 1 Yepas | 1 Digital Yepas | 2023-11-30 | N/A | 9.8 CRITICAL |
| Improper Privilege Management vulnerability in Yepas Digital Yepas allows Collect Data as Provided by Users.This issue affects . | |||||
| CVE-2023-4702 | 1 Yepas | 1 Digital Yepas | 2023-11-30 | N/A | 9.8 CRITICAL |
| Authentication Bypass Using an Alternate Path or Channel vulnerability in Yepas Digital Yepas allows Authentication Bypass.This issue affects Digital Yepas: before 1.0.1. | |||||
| CVE-2023-45377 | 1 Chronopost | 1 Chronopost | 2023-11-30 | N/A | 9.8 CRITICAL |
| In the module "Chronopost Official" (chronopost) for PrestaShop, a guest can perform SQL injection. The script PHP `cancelSkybill.php` own a sensitive SQL calls that can be executed with a trivial http call and exploited to forge a SQL injection. | |||||
| CVE-2023-43082 | 1 Dell | 3 Unity Operating Environment, Unity Xt Operating Environment, Unityvsa Operating Environment | 2023-11-30 | N/A | 5.9 MEDIUM |
| Dell Unity prior to 5.3 contains a 'man in the middle' vulnerability in the vmadapter component. If a customer has a certificate signed by a third-party public Certificate Authority, the vCenter CA could be spoofed by an attacker who can obtain a CA-signed certificate. | |||||
| CVE-2023-6253 | 1 Fortra | 1 Digital Guardian Agent | 2023-11-30 | N/A | 6.0 MEDIUM |
| A saved encryption key in the Uninstaller in Digital Guardian's Agent before version 7.9.4 allows a local attacker to retrieve the uninstall key and remove the software by extracting the uninstaller key from the memory of the uninstaller file. | |||||
| CVE-2023-48701 | 1 Statamic | 1 Statamic | 2023-11-30 | N/A | 6.1 MEDIUM |
| Statamic CMS is a Laravel and Git powered content management system (CMS). Prior to versions 3.4.15 an 4.36.0, HTML files crafted to look like images may be uploaded regardless of mime validation. This is only applicable on front-end forms using the "Forms" feature containing an assets field, or within the control panel which requires authentication. This issue has been patched on 3.4.15 and 4.36.0. | |||||
| CVE-2021-38405 | 1 Siemens | 2 Jt2go, Teamcenter Visualization | 2023-11-30 | N/A | 7.8 HIGH |
| The Datalogics APDFL library used in affected products is vulnerable to memory corruption condition while parsing specially crafted PDF files. An attacker could leverage this vulnerability to execute code in the context of the current process. | |||||
| CVE-2023-47631 | 1 Vantage6 | 1 Vantage6 | 2023-11-30 | N/A | 8.8 HIGH |
| vantage6 is a framework to manage and deploy privacy enhancing technologies like Federated Learning (FL) and Multi-Party Computation (MPC). In affected versions a node does not check if an image is allowed to run if a `parent_id` is set. A malicious party that breaches the server may modify it to set a fake `parent_id` and send a task of a non-whitelisted algorithm. The node will then execute it because the `parent_id` that is set prevents checks from being run. This impacts all servers that are breached by an expert user. This vulnerability has been patched in version 4.1.2. All users are advised to upgrade. There are no known workarounds for this vulnerability. | |||||
| CVE-2023-6312 | 1 Razormist | 1 Loan Management System | 2023-11-30 | N/A | 7.2 HIGH |
| A vulnerability was found in SourceCodester Loan Management System 1.0. It has been classified as critical. Affected is the function delete_user of the file deleteUser.php of the component Users Page. The manipulation of the argument user_id leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-246138 is the identifier assigned to this vulnerability. | |||||
| CVE-2023-49213 | 1 Ironmansoftware | 1 Powershell Universal | 2023-11-30 | N/A | 8.8 HIGH |
| The API endpoints in Ironman PowerShell Universal 3.0.0 through 4.2.0 allow remote attackers to execute arbitrary commands via crafted HTTP requests if a param block is used, due to invalid sanitization of input strings. The fixed versions are 3.10.2, 4.1.10, and 4.2.1. | |||||
| CVE-2023-6311 | 1 Razormist | 1 Loan Management System | 2023-11-30 | N/A | 7.2 HIGH |
| A vulnerability was found in SourceCodester Loan Management System 1.0 and classified as critical. This issue affects the function delete_ltype of the file delete_ltype.php of the component Loan Type Page. The manipulation of the argument ltype_id leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-246137 was assigned to this vulnerability. | |||||
| CVE-2023-6310 | 1 Razormist | 1 Loan Management System | 2023-11-30 | N/A | 7.2 HIGH |
| A vulnerability has been found in SourceCodester Loan Management System 1.0 and classified as critical. This vulnerability affects the function delete_borrower of the file deleteBorrower.php. The manipulation of the argument borrower_id leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-246136. | |||||
| CVE-2023-4223 | 1 Chamilo | 1 Chamilo Lms | 2023-11-30 | N/A | 8.8 HIGH |
| Unrestricted file upload in `/main/inc/ajax/document.ajax.php` in Chamilo LMS <= v1.11.24 allows authenticated attackers with learner role to obtain remote code execution via uploading of PHP files. | |||||
| CVE-2023-4222 | 1 Chamilo | 1 Chamilo Lms | 2023-11-30 | N/A | 8.8 HIGH |
| Command injection in `main/lp/openoffice_text_document.class.php` in Chamilo LMS <= v1.11.24 allows users permitted to upload Learning Paths to obtain remote code execution via improper neutralisation of special characters. | |||||
| CVE-2023-4221 | 1 Chamilo | 1 Chamilo Lms | 2023-11-30 | N/A | 8.8 HIGH |
| Command injection in `main/lp/openoffice_presentation.class.php` in Chamilo LMS <= v1.11.24 allows users permitted to upload Learning Paths to obtain remote code execution via improper neutralisation of special characters. | |||||
| CVE-2023-4226 | 1 Chamilo | 1 Chamilo Lms | 2023-11-30 | N/A | 8.8 HIGH |
| Unrestricted file upload in `/main/inc/ajax/work.ajax.php` in Chamilo LMS <= v1.11.24 allows authenticated attackers with learner role to obtain remote code execution via uploading of PHP files. | |||||
| CVE-2023-4225 | 1 Chamilo | 1 Chamilo Lms | 2023-11-30 | N/A | 8.8 HIGH |
| Unrestricted file upload in `/main/inc/ajax/exercise.ajax.php` in Chamilo LMS <= v1.11.24 allows authenticated attackers with learner role to obtain remote code execution via uploading of PHP files. | |||||
| CVE-2023-4224 | 1 Chamilo | 1 Chamilo Lms | 2023-11-30 | N/A | 8.8 HIGH |
| Unrestricted file upload in `/main/inc/ajax/dropbox.ajax.php` in Chamilo LMS <= v1.11.24 allows authenticated attackers with learner role to obtain remote code execution via uploading of PHP files. | |||||
| CVE-2023-47316 | 1 H-mdm | 1 Headwind Mdm | 2023-11-30 | N/A | 5.4 MEDIUM |
| Headwind MDM Web panel 5.22.1 is vulnerable to Incorrect Access Control. The Web panel allows users to gain access to potentially sensitive API calls such as listing users and their data, file management API calls and audit-related API calls. | |||||
| CVE-2023-47312 | 1 H-mdm | 1 Headwind Mdm | 2023-11-30 | N/A | 6.5 MEDIUM |
| Headwind MDM Web panel 5.22.1 is vulnerable to Incorrect Access Control due to Login Credential Leakage via Audit Entries. | |||||
| CVE-2023-2447 | 1 Userproplugin | 1 Userpro | 2023-11-30 | N/A | 6.1 MEDIUM |
| The UserPro plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 5.1.1. This is due to missing or incorrect nonce validation on the 'export_users' function. This makes it possible for unauthenticated attackers to export the users to a csv file, granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2023-2446 | 1 Userproplugin | 1 Userpro | 2023-11-30 | N/A | 6.5 MEDIUM |
| The UserPro plugin for WordPress is vulnerable to sensitive information disclosure via the 'userpro' shortcode in versions up to, and including 5.1.1. This is due to insufficient restriction on sensitive user meta values that can be called via that shortcode. This makes it possible for authenticated attackers, with subscriber-level permissions, and above to retrieve sensitive user meta that can be used to gain access to a high privileged user account. | |||||
| CVE-2023-46357 | 1 Myprestamodules | 1 Cross Selling In Modal Cart | 2023-11-30 | N/A | 9.8 CRITICAL |
| In the module "Cross Selling in Modal Cart" (motivationsale) < 3.5.0 from MyPrestaModules for PrestaShop, a guest can perform SQL injection. The method `motivationsaleDataModel::getProductsByIds()` has sensitive SQL calls that can be executed with a trivial http call and exploited to forge a SQL injection. | |||||
| CVE-2023-5942 | 1 Drelton | 1 Medialist | 2023-11-30 | N/A | 5.4 MEDIUM |
| The Medialist WordPress plugin before 1.4.1 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks | |||||
| CVE-2023-6300 | 1 Mayurik | 1 Best Courier Management System | 2023-11-30 | N/A | 6.1 MEDIUM |
| A vulnerability, which was classified as problematic, was found in SourceCodester Best Courier Management System 1.0. Affected is an unknown function. The manipulation of the argument page with the input </TiTlE><ScRiPt>alert(1)</ScRiPt> leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-246126 is the identifier assigned to this vulnerability. | |||||
| CVE-2023-6301 | 1 Mayurik | 1 Best Courier Management System | 2023-11-30 | N/A | 6.1 MEDIUM |
| A vulnerability has been found in SourceCodester Best Courier Management System 1.0 and classified as problematic. Affected by this vulnerability is an unknown functionality of the file parcel_list.php of the component GET Parameter Handler. The manipulation of the argument id with the input </TiTlE><ScRiPt>alert(1)</ScRiPt> leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-246127. | |||||
| CVE-2023-47668 | 1 Liquidweb | 1 Restrict Content | 2023-11-30 | N/A | 7.5 HIGH |
| Exposure of Sensitive Information to an Unauthorized Actor vulnerability in StellarWP Membership Plugin – Restrict Content plugin <= 3.2.7 versions. | |||||
| CVE-2023-4514 | 1 Mediamanifesto | 1 Mmm Simple File List | 2023-11-30 | N/A | 5.4 MEDIUM |
| The Mmm Simple File List WordPress plugin through 2.3 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks | |||||
| CVE-2023-4297 | 1 Mediamanifesto | 1 Mmm Simple File List | 2023-11-30 | N/A | 4.3 MEDIUM |
| The Mmm Simple File List WordPress plugin through 2.3 does not validate the generated path to list files from, allowing any authenticated users, such as subscribers, to list the content of arbitrary directories. | |||||
| CVE-2023-2603 | 4 Debian, Fedoraproject, Libcap Project and 1 more | 4 Debian Linux, Fedora, Libcap and 1 more | 2023-11-30 | N/A | 7.8 HIGH |
| A vulnerability was found in libcap. This issue occurs in the _libcap_strdup() function and can lead to an integer overflow if the input string is close to 4GiB. | |||||
| CVE-2023-2602 | 4 Debian, Fedoraproject, Libcap Project and 1 more | 4 Debian Linux, Fedora, Libcap and 1 more | 2023-11-30 | N/A | 3.3 LOW |
| A vulnerability was found in the pthread_create() function in libcap. This issue may allow a malicious actor to use cause __real_pthread_create() to return an error, which can exhaust the process memory. | |||||
| CVE-2023-42366 | 1 Busybox | 1 Busybox | 2023-11-30 | N/A | 5.5 MEDIUM |
| A heap-buffer-overflow was discovered in BusyBox v.1.36.1 in the next_token function at awk.c:1159. | |||||
| CVE-2023-42365 | 1 Busybox | 1 Busybox | 2023-11-30 | N/A | 5.5 MEDIUM |
| A use-after-free vulnerability was discovered in BusyBox v.1.36.1 via a crafted awk pattern in the awk.c copyvar function. | |||||
| CVE-2023-4252 | 1 Metagauss | 1 Eventprime | 2023-11-30 | N/A | 5.3 MEDIUM |
| The EventPrime WordPress plugin through 3.2.9 specifies the price of a booking in the client request, allowing an attacker to purchase bookings without payment. | |||||
| CVE-2023-42364 | 1 Busybox | 1 Busybox | 2023-11-30 | N/A | 5.5 MEDIUM |
| A use-after-free vulnerability in BusyBox v.1.36.1 allows attackers to cause a denial of service via a crafted awk pattern in the awk.c evaluate function. | |||||
| CVE-2023-42363 | 1 Busybox | 1 Busybox | 2023-11-30 | N/A | 5.5 MEDIUM |
| A use-after-free vulnerability was discovered in xasprintf function in xfuncs_printf.c:344 in BusyBox v.1.36.1. | |||||
| CVE-2023-44290 | 1 Dell | 1 Command\|monitor | 2023-11-30 | N/A | 7.8 HIGH |
| Dell Command | Monitor versions prior to 10.10.0, contain an improper access control vulnerability. A local malicious standard user could potentially exploit this vulnerability while repairing/changing installation, leading to privilege escalation. | |||||
| CVE-2023-44289 | 1 Dell | 1 Command\|configure | 2023-11-30 | N/A | 7.8 HIGH |
| Dell Command | Configure versions prior to 4.11.0, contain an improper access control vulnerability. A local malicious standard user could potentially exploit this vulnerability while repairing/changing installation, leading to privilege escalation. | |||||
| CVE-2023-43086 | 1 Dell | 1 Command\|configure | 2023-11-30 | N/A | 7.8 HIGH |
| Dell Command | Configure, versions prior to 4.11.0, contains an improper access control vulnerability. A local malicious user could potentially modify files inside installation folder during application upgrade, leading to privilege escalation. | |||||
| CVE-2023-25682 | 1 Ibm | 1 Sterling B2b Integrator | 2023-11-30 | N/A | 5.5 MEDIUM |
| IBM Sterling B2B Integrator Standard Edition 6.0.0.0 through 6.0.3.8 and 6.1.0.0 through 6.1.2.1 stores potentially sensitive information in log files that could be read by a local user. IBM X-Force ID: 247034. | |||||
| CVE-2022-36777 | 1 Ibm | 2 Cloud Pak For Security, Qradar Suite | 2023-11-30 | N/A | 6.5 MEDIUM |
| IBM Cloud Pak for Security (CP4S) 1.10.0.0 through 1.10.11.0 and IBM QRadar Suite Software 1.10.12.0 through 1.10.16.0could allow an authenticated user to obtain sensitive version information that could aid in further attacks against the system. IBM X-Force ID: 233665. | |||||
| CVE-2023-2841 | 1 Zorem | 1 Advanced Local Pickup For Woocommerce | 2023-11-30 | N/A | 7.2 HIGH |
| The Advanced Local Pickup for WooCommerce plugin for WordPress is vulnerable to time-based SQL Injection via the id parameter in versions up to, and including, 1.5.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers with admin-level privileges to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | |||||
| CVE-2023-6189 | 1 M-files | 1 M-files Server | 2023-11-30 | N/A | 5.3 MEDIUM |
| Missing access permissions checks in the M-Files server before 23.11.13156.0 allow attackers to perform data write and export jobs using the M-Files API methods. | |||||
| CVE-2023-32514 | 1 Himanshuparashar | 1 Google Site Verification Plugin Using Meta Tag | 2023-11-30 | N/A | 8.8 HIGH |
| Cross-Site Request Forgery (CSRF) vulnerability in Himanshu Parashar Google Site Verification plugin using Meta Tag.This issue affects Google Site Verification plugin using Meta Tag: from n/a through 1.2. | |||||
| CVE-2023-26279 | 1 Ibm | 1 Qradar Wincollect | 2023-11-30 | N/A | 7.8 HIGH |
| IBM QRadar WinCollect Agent 10.0 through 10.1.7 could allow a local user to perform unauthorized actions due to improper encoding. IBM X-Force ID: 248160. | |||||
| CVE-2023-6117 | 1 M-files | 1 M-files Server | 2023-11-30 | N/A | 7.5 HIGH |
| A possibility of unwanted server memory consumption was detected through the obsolete functionalities in the Rest API methods of the M-Files server before 23.11.13156.0 which allows attackers to execute DoS attacks. | |||||
| CVE-2023-32504 | 1 Kaine | 1 Wise Chat | 2023-11-30 | N/A | 8.8 HIGH |
| Cross-Site Request Forgery (CSRF) vulnerability in Kainex Wise Chat.This issue affects Wise Chat: from n/a through 3.1.3. | |||||
| CVE-2023-32245 | 1 Wpdeveloper | 1 Essential Addons For Elementor | 2023-11-30 | N/A | 8.8 HIGH |
| Cross-Site Request Forgery (CSRF) vulnerability in WPDeveloper Essential Addons for Elementor Pro.This issue affects Essential Addons for Elementor Pro: from n/a through 5.4.8. | |||||
| CVE-2023-31089 | 1 Webternsolutions | 1 Video Xml Sitemap Generator | 2023-11-30 | N/A | 8.8 HIGH |
| Cross-Site Request Forgery (CSRF) vulnerability in Tradebooster Video XML Sitemap Generator.This issue affects Video XML Sitemap Generator: from n/a through 1.0.0. | |||||
| CVE-2023-31075 | 1 Ciphercoin | 1 Easy Hide Login | 2023-11-30 | N/A | 8.8 HIGH |
| Cross-Site Request Forgery (CSRF) vulnerability in Arshid Easy Hide Login.This issue affects Easy Hide Login: from n/a through 1.0.8. | |||||