Search
Total
201818 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-43432 | 1 Jenkins | 1 Xframium Builder | 2023-11-22 | N/A | 4.3 MEDIUM |
| Jenkins XFramium Builder Plugin 1.0.22 and earlier programmatically disables Content-Security-Policy protection for user-generated content in workspaces, archived artifacts, etc. that Jenkins offers for download. | |||||
| CVE-2022-43431 | 1 Jenkins | 1 Compuware Strobe Measurement | 2023-11-22 | N/A | 4.3 MEDIUM |
| Jenkins Compuware Strobe Measurement Plugin 1.0.1 and earlier does not perform a permission check in an HTTP endpoint, allowing attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. | |||||
| CVE-2022-43434 | 1 Jenkins | 1 Neuvector Vulnerability Scanner | 2023-11-22 | N/A | 5.3 MEDIUM |
| Jenkins NeuVector Vulnerability Scanner Plugin 1.20 and earlier programmatically disables Content-Security-Policy protection for user-generated content in workspaces, archived artifacts, etc. that Jenkins offers for download. | |||||
| CVE-2022-43433 | 1 Jenkins | 1 Screenrecorder | 2023-11-22 | N/A | 4.3 MEDIUM |
| Jenkins ScreenRecorder Plugin 0.7 and earlier programmatically disables Content-Security-Policy protection for user-generated content in workspaces, archived artifacts, etc. that Jenkins offers for download. | |||||
| CVE-2022-45379 | 1 Jenkins | 1 Script Security | 2023-11-22 | N/A | 7.5 HIGH |
| Jenkins Script Security Plugin 1189.vb_a_b_7c8fd5fde and earlier stores whole-script approvals as the SHA-1 hash of the script, making it vulnerable to collision attacks. | |||||
| CVE-2022-43435 | 1 Jenkins | 1 360 Fireline | 2023-11-22 | N/A | 5.3 MEDIUM |
| Jenkins 360 FireLine Plugin 1.7.2 and earlier programmatically disables Content-Security-Policy protection for user-generated content in workspaces, archived artifacts, etc. that Jenkins offers for download. | |||||
| CVE-2021-42362 | 1 Wordpress Popular Posts Project | 1 Wordpress Popular Posts | 2023-11-22 | 6.5 MEDIUM | 8.8 HIGH |
| The WordPress Popular Posts WordPress plugin is vulnerable to arbitrary file uploads due to insufficient input file type validation found in the ~/src/Image.php file which makes it possible for attackers with contributor level access and above to upload malicious files that can be used to obtain remote code execution, in versions up to and including 5.3.2. | |||||
| CVE-2022-23830 | 1 Amd | 130 Epyc 7203, Epyc 7203 Firmware, Epyc 7203p and 127 more | 2023-11-22 | N/A | 5.3 MEDIUM |
| SMM configuration may not be immutable, as intended, when SNP is enabled resulting in a potential limited loss of guest memory integrity. | |||||
| CVE-2023-47508 | 1 Averta | 1 Master Slider | 2023-11-22 | N/A | 6.1 MEDIUM |
| Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Averta Master Slider Pro plugin <= 3.6.5 versions. | |||||
| CVE-2023-47245 | 1 Marcomilesi | 1 Anac Xml Viewer | 2023-11-22 | N/A | 4.8 MEDIUM |
| Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Marco Milesi ANAC XML Viewer plugin <= 1.7 versions. | |||||
| CVE-2023-47242 | 1 Marcomilesi | 1 Anac Xml Bandi Di Gara | 2023-11-22 | N/A | 5.4 MEDIUM |
| Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in Marco Milesi ANAC XML Bandi di Gara plugin <= 7.5 versions. | |||||
| CVE-2023-47240 | 1 Codebxr | 1 Cbx Map For Google Map \& Openstreetmap | 2023-11-22 | N/A | 5.4 MEDIUM |
| Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in Codeboxr CBX Map for Google Map & OpenStreetMap plugin <= 1.1.11 versions. | |||||
| CVE-2023-47239 | 1 Wpplugin | 1 Easy Paypal Shopping Cart | 2023-11-22 | N/A | 5.4 MEDIUM |
| Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in Scott Paterson Easy PayPal Shopping Cart plugin <= 1.1.10 versions. | |||||
| CVE-2023-48054 | 1 Localstack | 1 Localstack | 2023-11-22 | N/A | 7.4 HIGH |
| Missing SSL certificate validation in localstack v2.3.2 allows attackers to eavesdrop on communications between the host and server via a man-in-the-middle attack. | |||||
| CVE-2023-48053 | 1 Archerydms | 1 Archery | 2023-11-22 | N/A | 7.5 HIGH |
| Archery v1.10.0 uses a non-random or static IV for Cipher Block Chaining (CBC) mode in AES encryption. This vulnerability can lead to the disclosure of information and communications. | |||||
| CVE-2023-48052 | 1 Httpie | 1 Httpie | 2023-11-22 | N/A | 7.4 HIGH |
| Missing SSL certificate validation in HTTPie v3.2.2 allows attackers to eavesdrop on communications between the host and server via a man-in-the-middle attack. | |||||
| CVE-2023-38130 | 1 Cubecart | 1 Cubecart | 2023-11-22 | N/A | 8.1 HIGH |
| Cross-site request forgery (CSRF) vulnerability in CubeCart prior to 6.5.3 allows a remote unauthenticated attacker to delete data in the system. | |||||
| CVE-2023-48649 | 1 Concretecms | 1 Concrete Cms | 2023-11-22 | N/A | 5.4 MEDIUM |
| Concrete CMS before 8.5.13 and 9.x before 9.2.2 allows stored XSS on the Admin page via an uploaded file name. | |||||
| CVE-2023-48648 | 1 Concretecms | 1 Concrete Cms | 2023-11-22 | N/A | 9.8 CRITICAL |
| Concrete CMS before 8.5.13 and 9.x before 9.2.2 allows unauthorized access because directories can be created with insecure permissions. File creation functions (such as the Mkdir() function) gives universal access (0777) to created folders by default. Excessive permissions can be granted when creating a directory with permissions greater than 0755 or when the permissions argument is not specified. | |||||
| CVE-2023-47675 | 1 Cubecart | 1 Cubecart | 2023-11-22 | N/A | 7.2 HIGH |
| CubeCart prior to 6.5.3 allows a remote authenticated attacker with an administrative privilege to execute an arbitrary OS command. | |||||
| CVE-2023-47283 | 1 Cubecart | 1 Cubecart | 2023-11-22 | N/A | 4.9 MEDIUM |
| Directory traversal vulnerability in CubeCart prior to 6.5.3 allows a remote authenticated attacker with an administrative privilege to obtain files in the system. | |||||
| CVE-2023-42428 | 1 Cubecart | 1 Cubecart | 2023-11-22 | N/A | 6.5 MEDIUM |
| Directory traversal vulnerability in CubeCart prior to 6.5.3 allows a remote authenticated attacker with an administrative privilege to delete directories and files in the system. | |||||
| CVE-2023-23549 | 1 Tribe29 | 1 Checkmk | 2023-11-21 | N/A | 2.7 LOW |
| Improper Input Validation in Checkmk <2.2.0p15, <2.1.0p37, <=2.0.0p39 allows priviledged attackers to cause partial denial of service of the UI via too long hostnames. | |||||
| CVE-2023-47586 | 1 Fujielectric | 1 V-server | 2023-11-21 | N/A | 7.8 HIGH |
| Multiple heap-based buffer overflow vulnerabilities exist in V-Server V4.0.18.0 and earlier and V-Server Lite V4.0.18.0 and earlier. If a user opens a specially crafted VPR file, information may be disclosed and/or arbitrary code may be executed. | |||||
| CVE-2021-3947 | 1 Qemu | 1 Qemu | 2023-11-21 | 2.1 LOW | 5.5 MEDIUM |
| A stack-buffer-overflow was found in QEMU in the NVME component. The flaw lies in nvme_changed_nslist() where a malicious guest controlling certain input can read out of bounds memory. A malicious user could use this flaw leading to disclosure of sensitive information. | |||||
| CVE-2023-47585 | 1 Fujielectric | 1 V-server | 2023-11-21 | N/A | 7.8 HIGH |
| Out-of-bounds read vulnerability exists in V-Server V4.0.18.0 and earlier and V-Server Lite V4.0.18.0 and earlier. If a user opens a specially crafted VPR file, information may be disclosed and/or arbitrary code may be executed. | |||||
| CVE-2023-47584 | 1 Fujielectric | 1 V-server | 2023-11-21 | N/A | 7.8 HIGH |
| Out-of-bounds write vulnerability exists in V-Server V4.0.18.0 and earlier and V-Server Lite V4.0.18.0 and earlier. If a user opens a specially crafted VPR file, information may be disclosed and/or arbitrary code may be executed. | |||||
| CVE-2023-45619 | 2 Arubanetworks, Hp | 2 Arubaos, Instantos | 2023-11-21 | N/A | 8.2 HIGH |
| There is an arbitrary file deletion vulnerability in the RSSI service accessed by PAPI (Aruba's access point management protocol). Successful exploitation of this vulnerability results in the ability to delete arbitrary files on the underlying operating system, which could lead to the ability to interrupt normal operation and impact the integrity of the access point. | |||||
| CVE-2023-45618 | 2 Arubanetworks, Hp | 2 Arubaos, Instantos | 2023-11-21 | N/A | 8.2 HIGH |
| There are arbitrary file deletion vulnerabilities in the AirWave client service accessed by PAPI (Aruba's access point management protocol). Successful exploitation of these vulnerabilities result in the ability to delete arbitrary files on the underlying operating system, which could lead to the ability to interrupt normal operation and impact the integrity of the access point. | |||||
| CVE-2023-45617 | 2 Arubanetworks, Hp | 2 Arubaos, Instantos | 2023-11-21 | N/A | 8.2 HIGH |
| There are arbitrary file deletion vulnerabilities in the CLI service accessed by PAPI (Aruba's access point management protocol). Successful exploitation of these vulnerabilities result in the ability to delete arbitrary files on the underlying operating system, which could lead to the ability to interrupt normal operation and impact the integrity of the access point. | |||||
| CVE-2023-45616 | 2 Arubanetworks, Hp | 2 Arubaos, Instantos | 2023-11-21 | N/A | 9.8 CRITICAL |
| There is a buffer overflow vulnerability in the underlying AirWave client service that could lead to unauthenticated remote code execution by sending specially crafted packets destined to the PAPI (Aruba's access point management protocol) UDP port (8211). Successful exploitation of this vulnerability results in the ability to execute arbitrary code as a privileged user on the underlying operating system. | |||||
| CVE-2023-45615 | 2 Arubanetworks, Hp | 2 Arubaos, Instantos | 2023-11-21 | N/A | 9.8 CRITICAL |
| There are buffer overflow vulnerabilities in the underlying CLI service that could lead to unauthenticated remote code execution by sending specially crafted packets destined to the PAPI (Aruba's access point management protocol) UDP port (8211). Successful exploitation of these vulnerabilities result in the ability to execute arbitrary code as a privileged user on the underlying operating system. | |||||
| CVE-2023-45614 | 2 Arubanetworks, Hp | 2 Arubaos, Instantos | 2023-11-21 | N/A | 9.8 CRITICAL |
| There are buffer overflow vulnerabilities in the underlying CLI service that could lead to unauthenticated remote code execution by sending specially crafted packets destined to the PAPI (Aruba's access point management protocol) UDP port (8211). Successful exploitation of these vulnerabilities result in the ability to execute arbitrary code as a privileged user on the underlying operating system. | |||||
| CVE-2023-47580 | 1 Fujielectric | 2 Tellus, Tellus Lite | 2023-11-21 | N/A | 7.8 HIGH |
| Multiple improper restriction of operations within the bounds of a memory buffer issues exist in TELLUS V4.0.17.0 and earlier and TELLUS Lite V4.0.17.0 and earlier. If a user opens a specially crafted file (X1, V8, or V9 file), information may be disclosed and/or arbitrary code may be executed. | |||||
| CVE-2021-31852 | 1 Mcafee | 1 Policy Auditor | 2023-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| A Reflected Cross-Site Scripting vulnerability in McAfee Policy Auditor prior to 6.5.2 allows a remote unauthenticated attacker to inject arbitrary web script or HTML via the UID request parameter. The malicious script is reflected unmodified into the Policy Auditor web-based interface which could lead to the extract of end user session token or login credentials. These may be used to access additional security-critical applications or conduct arbitrary cross-domain requests. | |||||
| CVE-2023-32641 | 1 Intel | 1 Quickassist Technology | 2023-11-21 | N/A | 8.8 HIGH |
| Improper input validation in firmware for Intel(R) QAT before version QAT20.L.1.0.40-00004 may allow escalation of privilege and denial of service via adjacent access. | |||||
| CVE-2023-4889 | 1 Shareaholic | 1 Shareaholic | 2023-11-21 | N/A | 5.4 MEDIUM |
| The Shareaholic plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'shareaholic' shortcode in versions up to, and including, 9.7.8 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2023-20596 | 1 Amd | 128 Ryzen 3 5125c, Ryzen 3 5125c Firmware, Ryzen 3 5300g and 125 more | 2023-11-21 | N/A | 9.8 CRITICAL |
| Improper input validation in the SMM Supervisor may allow an attacker with a compromised SMI handler to gain Ring0 access potentially leading to arbitrary code execution. | |||||
| CVE-2022-42879 | 1 Intel | 11 Arc A310, Arc A380, Arc A530m and 8 more | 2023-11-21 | N/A | 5.5 MEDIUM |
| NULL pointer dereference in some Intel(R) Arc(TM) & Iris(R) Xe Graphics - WHQL - Windows drivers before version 31.0.101.4255 may allow an authenticated user to potentially enable denial of service via local access. | |||||
| CVE-2023-20519 | 1 Amd | 4 Genoapi, Genoapi Firmware, Milanpi and 1 more | 2023-11-21 | N/A | 3.3 LOW |
| A Use-After-Free vulnerability in the management of an SNP guest context page may allow a malicious hypervisor to masquerade as the guest's migration agent resulting in a potential loss of guest integrity. | |||||
| CVE-2023-47582 | 1 Fujielectric | 2 Tellus, Tellus Lite | 2023-11-21 | N/A | 7.8 HIGH |
| Access of uninitialized pointer vulnerability exists in TELLUS V4.0.17.0 and earlier and TELLUS Lite V4.0.17.0 and earlier. If a user opens a specially crafted file (X1, V8, or V9 file), information may be disclosed and/or arbitrary code may be executed. | |||||
| CVE-2023-47581 | 1 Fujielectric | 2 Tellus, Tellus Lite | 2023-11-21 | N/A | 7.8 HIGH |
| Out-of-bounds read vulnerability exists in TELLUS V4.0.17.0 and earlier and TELLUS Lite V4.0.17.0 and earlier. If a user opens a specially crafted file (X1, V8, or V9 file), information may be disclosed and/or arbitrary code may be executed. | |||||
| CVE-2023-47308 | 1 Activedesign | 1 Newsletterpop | 2023-11-21 | N/A | 9.8 CRITICAL |
| In the module "Newsletter Popup PRO with Voucher/Coupon code" (newsletterpop) before version 2.6.1 from Active Design for PrestaShop, a guest can perform SQL injection in affected versions. The method `NewsletterpopsendVerificationModuleFrontController::checkEmailSubscription()` has sensitive SQL calls that can be executed with a trivial http call and exploited to forge a SQL injection. | |||||
| CVE-2023-41570 | 1 Mikrotik | 1 Routeros | 2023-11-21 | N/A | 5.3 MEDIUM |
| MikroTik RouterOS v7.1 to 7.11 was discovered to contain incorrect access control mechanisms in place for the Rest API. | |||||
| CVE-2023-34062 | 1 Pivotal | 1 Reactor Netty | 2023-11-21 | N/A | 7.5 HIGH |
| In Reactor Netty HTTP Server, versions 1.1.x prior to 1.1.13 and versions 1.0.x prior to 1.0.39, a malicious user can send a request using a specially crafted URL that can lead to a directory traversal attack. Specifically, an application is vulnerable if Reactor Netty HTTP Server is configured to serve static resources. | |||||
| CVE-2023-5985 | 1 Schneider-electric | 4 Ion8650, Ion8650 Firmware, Ion8800 and 1 more | 2023-11-21 | N/A | 4.8 MEDIUM |
| A CWE-79 Improper Neutralization of Input During Web Page Generation vulnerability exists that could cause compromise of a user’s browser when an attacker with admin privileges has modified system values. | |||||
| CVE-2023-36558 | 1 Microsoft | 3 .net, Asp.net Core, Visual Studio 2022 | 2023-11-21 | N/A | 5.5 MEDIUM |
| ASP.NET Core - Security Feature Bypass Vulnerability | |||||
| CVE-2023-45627 | 2 Arubanetworks, Hp | 2 Arubaos, Instantos | 2023-11-21 | N/A | 6.5 MEDIUM |
| An authenticated Denial-of-Service (DoS) vulnerability exists in the CLI service. Successful exploitation of this vulnerability results in the ability to interrupt the normal operation of the affected access point. | |||||
| CVE-2023-36437 | 1 Microsoft | 1 Azure Pipelines Agent | 2023-11-21 | N/A | 8.8 HIGH |
| Azure DevOps Server Remote Code Execution Vulnerability | |||||
| CVE-2023-34060 | 1 Vmware | 2 Cloud Director, Photon Os | 2023-11-21 | N/A | 9.8 CRITICAL |
| VMware Cloud Director Appliance contains an authentication bypass vulnerability in case VMware Cloud Director Appliance was upgraded to 10.5 from an older version. On an upgraded version of VMware Cloud Director Appliance 10.5, a malicious actor with network access to the appliance can bypass login restrictions when authenticating on port 22 (ssh) or port 5480 (appliance management console) . This bypass is not present on port 443 (VCD provider and tenant login). On a new installation of VMware Cloud Director Appliance 10.5, the bypass is not present. VMware Cloud Director Appliance is impacted since it uses an affected version of sssd from the underlying Photon OS. The sssd issue is no longer present in versions of Photon OS that ship with sssd-2.8.1-11 or higher (Photon OS 3) or sssd-2.8.2-9 or higher (Photon OS 4 and 5). | |||||