Search
Total
201818 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-4147 | 4 Debian, Fedoraproject, Linux and 1 more | 8 Debian Linux, Fedora, Linux Kernel and 5 more | 2023-11-21 | N/A | 7.8 HIGH |
| A use-after-free flaw was found in the Linux kernel’s Netfilter functionality when adding a rule with NFTA_RULE_CHAIN_ID. This flaw allows a local user to crash or escalate their privileges on the system. | |||||
| CVE-2022-30067 | 1 Gimp | 1 Gimp | 2023-11-21 | 4.3 MEDIUM | 5.5 MEDIUM |
| GIMP 2.10.30 and 2.99.10 are vulnerable to Buffer Overflow. Through a crafted XCF file, the program will allocate for a huge amount of memory, resulting in insufficient memory or program crash. | |||||
| CVE-2021-38111 | 1 Defcon | 2 Def Con 27, Def Con 27 Firmware | 2023-11-21 | 5.8 MEDIUM | 8.8 HIGH |
| The DEF CON 27 badge allows remote attackers to exploit a buffer overflow by sending an oversized packet via the NFMI (Near Field Magnetic Induction) protocol. | |||||
| CVE-2023-47673 | 1 Thecrowned | 1 Post Pay Counter | 2023-11-21 | N/A | 6.1 MEDIUM |
| Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Stefano Ottolenghi Post Pay Counter plugin <= 2.789 versions. | |||||
| CVE-2023-47662 | 1 Goldbroker | 1 Live Gold Price \& Silver Price Charts Widgets | 2023-11-21 | N/A | 4.8 MEDIUM |
| Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in GoldBroker.Com Live Gold Price & Silver Price Charts Widgets plugin <= 2.4 versions. | |||||
| CVE-2023-45897 | 1 Namjaejeon | 1 Exfatprogs | 2023-11-21 | N/A | 5.5 MEDIUM |
| exfatprogs before 1.2.2 allows out-of-bounds memory access, such as in read_file_dentry_set. | |||||
| CVE-2023-46316 | 2 Buc, Debian | 2 Traceroute, Debian Linux | 2023-11-21 | N/A | 5.5 MEDIUM |
| In buc Traceroute 2.0.12 through 2.1.2 before 2.1.3, the wrapper scripts do not properly parse command lines. | |||||
| CVE-2021-45450 | 2 Arm, Fedoraproject | 2 Mbed Tls, Fedora | 2023-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| In Mbed TLS before 2.28.0 and 3.x before 3.1.0, psa_cipher_generate_iv and psa_cipher_encrypt allow policy bypass or oracle-based decryption when the output buffer is at memory locations accessible to an untrusted application. | |||||
| CVE-2023-46377 | 2023-11-21 | N/A | N/A | ||
| Rejected reason: DO NOT USE THIS CVE RECORD. ConsultIDs: none. Reason: This record was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none. | |||||
| CVE-2023-6006 | 2 Microsoft, Papercut | 3 Windows, Papercut Mf, Papercut Ng | 2023-11-21 | N/A | 6.7 MEDIUM |
| This vulnerability potentially allows local attackers to escalate privileges on affected installations of PaperCut NG. An attacker must be able to write into the local C Drive. In addition, the attacker must have admin privileges to enable Print Archiving or encounter a misconfigured system. This vulnerability does not apply to PaperCut NG installs that have Print Archiving enabled and configured as per the recommended set up procedure. This specific flaw exists within the pc-pdl-to-image process. The process loads an executable from an unsecured location. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM | |||||
| CVE-2023-35887 | 1 Apache | 1 Sshd | 2023-11-21 | N/A | 4.3 MEDIUM |
| Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Software Foundation Apache MINA. In SFTP servers implemented using Apache MINA SSHD that use a RootedFileSystem, logged users may be able to discover "exists/does not exist" information about items outside the rooted tree via paths including parent navigation ("..") beyond the root, or involving symlinks. This issue affects Apache MINA: from 1.0 before 2.10. Users are recommended to upgrade to 2.10 | |||||
| CVE-2023-43979 | 1 Prestahero | 1 Ybc Blog | 2023-11-21 | N/A | 9.8 CRITICAL |
| ETS Soft ybc_blog before v4.4.0 was discovered to contain a SQL injection vulnerability via the component Ybc_blogBlogModuleFrontController::getPosts(). | |||||
| CVE-2023-42814 | 1 Nirmata | 1 Kyverno | 2023-11-21 | N/A | 5.3 MEDIUM |
| Kyverno is a policy engine designed for Kubernetes. A security vulnerability was found in Kyverno where an attacker could cause denial of service of Kyverno. The vulnerable component in Kyvernos Notary verifier. An attacker would need control over the registry from which Kyverno would fetch attestations. With such a position, the attacker could return a malicious response to Kyverno, when Kyverno would send a request to the registry. The malicious response would cause denial of service of Kyverno, such that other users' admission requests would be blocked from being processed. This is a vulnerability in a new component released in v1.11.0. The only users affected by this are those that have been building Kyverno from source at the main branch which is not encouraged. Users consuming official Kyverno releases are not affected. There are no known cases of this vulnerability being exploited in the wild. | |||||
| CVE-2023-42813 | 1 Nirmata | 1 Kyverno | 2023-11-21 | N/A | 5.3 MEDIUM |
| Kyverno is a policy engine designed for Kubernetes. A security vulnerability was found in Kyverno where an attacker could cause denial of service of Kyverno. The vulnerable component in Kyvernos Notary verifier. An attacker would need control over the registry from which Kyverno would fetch attestations. With such a position, the attacker could return a malicious response to Kyverno, when Kyverno would send a request to the registry. The malicious response would cause denial of service of Kyverno, such that other users' admission requests would be blocked from being processed. This is a vulnerability in a new component released in v1.11.0. The only users affected by this are those that have been building Kyverno from source at the main branch which is not encouraged. Users consuming official Kyverno releases are not affected. There are no known cases of this vulnerability being exploited in the wild. | |||||
| CVE-2023-43590 | 1 Zoom | 1 Rooms | 2023-11-21 | N/A | 7.8 HIGH |
| Link following in Zoom Rooms for macOS before version 5.16.0 may allow an authenticated user to conduct an escalation of privilege via local access. | |||||
| CVE-2023-42816 | 1 Nirmata | 1 Kyverno | 2023-11-21 | N/A | 5.3 MEDIUM |
| Kyverno is a policy engine designed for Kubernetes. A security vulnerability was found in Kyverno where an attacker could cause denial of service of Kyverno. The vulnerability was in Kyvernos Notary verifier. An attacker would need control over the registry from which Kyverno would fetch signatures. With such a position, the attacker could return a malicious response to Kyverno, when Kyverno would send a request to the registry. The malicious response would cause denial of service of Kyverno, such that other users' admission requests would be blocked from being processed. This is a vulnerability in a new component released in v1.11.0. The only users affected by this are those that have been building Kyverno from source at the main branch which is not encouraged. Users consuming official Kyverno releases are not affected. There are no known cases of this vulnerability being exploited in the wild. | |||||
| CVE-2023-42815 | 1 Nirmata | 1 Kyverno | 2023-11-21 | N/A | 5.3 MEDIUM |
| Kyverno is a policy engine designed for Kubernetes. A security vulnerability was found in Kyverno where an attacker could cause denial of service of Kyverno. The vulnerability was in Kyvernos Notary verifier. An attacker would need control over the registry from which Kyverno would fetch signatures. With such a position, the attacker could return a malicious response to Kyverno, when Kyverno would send a request to the registry. The malicious response would cause denial of service of Kyverno, such that other users' admission requests would be blocked from being processed. This is a vulnerability in a new component released in v1.11.0. The only users affected by this are those that have been building Kyverno from source at the main branch which is not encouraged. Users consuming official Kyverno releases are not affected. There are no known cases of this vulnerability being exploited in the wild. | |||||
| CVE-2023-47621 | 1 Duncanmcclean | 1 Guest Entries | 2023-11-21 | N/A | 8.8 HIGH |
| Guest Entries is a php library which allows users to create, update & delete entries from the front-end of a site. In affected versions the file uploads feature did not prevent the upload of PHP files. This may lead to code execution on the server by authenticated users. This vulnerability is fixed in v3.1.2. Users are advised to upgrade. There are no known workarounds for this vulnerability. | |||||
| CVE-2023-23367 | 1 Qnap | 3 Qts, Quts Hero, Qutscloud | 2023-11-21 | N/A | 7.2 HIGH |
| An OS command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated administrators to execute commands via a network. We have already fixed the vulnerability in the following versions: QTS 5.0.1.2376 build 20230421 and later QuTS hero h5.0.1.2376 build 20230421 and later QuTScloud c5.1.0.2498 and later | |||||
| CVE-2023-47127 | 1 Typo3 | 1 Typo3 | 2023-11-21 | N/A | 5.4 MEDIUM |
| TYPO3 is an open source PHP based web content management system released under the GNU GPL. In typo3 installations there are always at least two different sites. Eg. first.example.org and second.example.com. In affected versions a session cookie generated for the first site can be reused on the second site without requiring additional authentication. This vulnerability has been addressed in versions 8.7.55, 9.5.44, 10.4.41, 11.5.33, and 12.4.8. Users are advised to upgrade. There are no known workarounds for this vulnerability. | |||||
| CVE-2023-47126 | 1 Typo3 | 1 Typo3 | 2023-11-21 | N/A | 5.3 MEDIUM |
| TYPO3 is an open source PHP based web content management system released under the GNU GPL. In affected versions the login screen of the standalone install tool discloses the full path of the transient data directory (e.g. /var/www/html/var/transient/). This applies to composer-based scenarios only - “classic” non-composer installations are not affected. This issue has been addressed in version 12.4.8. Users are advised to upgrade. There are no known workarounds for this vulnerability. | |||||
| CVE-2023-47125 | 1 Typo3 | 2 Html Sanitizer, Typo3 | 2023-11-21 | N/A | 6.1 MEDIUM |
| TYPO3 is an open source PHP based web content management system released under the GNU GPL. In affected versions DOM processing instructions are not handled correctly. This allows bypassing the cross-site scripting mechanism of typo3/html-sanitizer. This vulnerability has been addressed in versions 1.5.3 and 2.1.4. Users are advised to upgrade. There are no known workarounds for this vulnerability. | |||||
| CVE-2023-43591 | 1 Zoom | 1 Rooms | 2023-11-21 | N/A | 7.8 HIGH |
| Improper privilege management in Zoom Rooms for macOS before version 5.16.0 may allow an authenticated user to conduct an escalation of privilege via local access. | |||||
| CVE-2023-5381 | 1 Webtechstreet | 1 Elementor Addon Elements | 2023-11-21 | N/A | 4.8 MEDIUM |
| The Elementor Addon Elements plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in versions up to, and including, 1.12.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. | |||||
| CVE-2023-48087 | 1 Xuxueli | 1 Xxl-job | 2023-11-21 | N/A | 5.4 MEDIUM |
| xxl-job-admin 2.4.0 is vulnerable to Insecure Permissions via /xxl-job-admin/joblog/clearLog and /xxl-job-admin/joblog/logDetailCat. | |||||
| CVE-2023-48089 | 1 Xuxueli | 1 Xxl-job | 2023-11-21 | N/A | 8.8 HIGH |
| xxl-job-admin 2.4.0 is vulnerable to Remote Code Execution (RCE) via /xxl-job-admin/jobcode/save. | |||||
| CVE-2023-48088 | 1 Xuxueli | 1 Xxl-job | 2023-11-21 | N/A | 5.4 MEDIUM |
| xxl-job-admin 2.4.0 is vulnerable to Cross Site Scripting (XSS) via /xxl-job-admin/joblog/logDetailPage. | |||||
| CVE-2023-4723 | 1 Webtechstreet | 1 Elementor Addon Elements | 2023-11-21 | N/A | 5.3 MEDIUM |
| The Elementor Addon Elements plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 1.12.7 via the ajax_eae_post_data function. This can allow unauthenticated attackers to extract sensitive data including post/page ids and titles including those of with pending/draft/future/private status. | |||||
| CVE-2023-40923 | 1 Myprestamodules | 1 Orders \(csv\, Excel\) Export | 2023-11-21 | N/A | 8.8 HIGH |
| MyPrestaModules ordersexport before v5.0 was discovered to contain multiple SQL injection vulnerabilities at send.php via the key and save_setting parameters. | |||||
| CVE-2023-47003 | 1 Redislabs | 1 Redisgraph | 2023-11-21 | N/A | 9.8 CRITICAL |
| An issue in RedisGraph v.2.12.10 allows an attacker to execute arbitrary code and cause a denial of service via a crafted string in DataBlock_ItemIsDeleted. | |||||
| CVE-2023-29157 | 1 Intel | 1 One Boot Flash Update | 2023-11-21 | N/A | 7.8 HIGH |
| Improper access control in some Intel(R) OFU software before version 14.1.31 may allow an authenticated user to potentially enable escalation of privilege via local access. | |||||
| CVE-2023-40719 | 1 Fortinet | 2 Fortianalyzer, Fortimanager | 2023-11-21 | N/A | 5.5 MEDIUM |
| A use of hard-coded credentials vulnerability in Fortinet FortiAnalyzer and FortiManager 7.0.0 - 7.0.8, 7.2.0 - 7.2.3 and 7.4.0 allows an attacker to access Fortinet private testing data via the use of static credentials. | |||||
| CVE-2023-29161 | 1 Intel | 1 One Boot Flash Update | 2023-11-21 | N/A | 7.8 HIGH |
| Uncontrolled search path in some Intel(R) OFU software before version 14.1.31 may allow an authenticated user to potentially enable escalation of privilege via local access. | |||||
| CVE-2023-32204 | 1 Intel | 1 One Boot Flash Update | 2023-11-21 | N/A | 7.8 HIGH |
| Improper access control in some Intel(R) OFU software before version 14.1.31 may allow an authenticated user to potentially enable escalation of privilege via local access. | |||||
| CVE-2023-48204 | 1 Publiccms | 1 Publiccms | 2023-11-21 | N/A | 6.5 MEDIUM |
| An issue in PublicCMS v.4.0.202302.e allows a remote attacker to obtain sensitive information via the appToken and Parameters parameter of the api/method/getHtml component. | |||||
| CVE-2023-43275 | 1 Dedecms | 1 Dedecms | 2023-11-21 | N/A | 8.8 HIGH |
| Cross-Site Request Forgery (CSRF) vulnerability in DedeCMS v5.7 in 110 backend management interface via /catalog_add.php, allows attackers to create crafted web pages due to a lack of verification of the token value of the submitted form. | |||||
| CVE-2021-35437 | 1 Lmxcms | 1 Lmxcms | 2023-11-21 | N/A | 9.8 CRITICAL |
| SQL injection vulnerability in LMXCMS v.1.4 allows attacker to execute arbitrary code via the TagsAction.class. | |||||
| CVE-2023-44248 | 1 Fortinet | 1 Fortiedr | 2023-11-21 | N/A | 5.5 MEDIUM |
| An improper access control vulnerability [CWE-284] in FortiEDRCollectorWindows version 5.2.0.4549 and below, 5.0.3.1007 and below, 4.0 all may allow a local attacker to prevent the collector service to start in the next system reboot by tampering with some registry keys of the service. | |||||
| CVE-2023-41840 | 1 Fortinet | 1 Forticlient | 2023-11-21 | N/A | 7.8 HIGH |
| A untrusted search path vulnerability in Fortinet FortiClientWindows 7.0.9 allows an attacker to perform a DLL Hijack attack via a malicious OpenSSL engine library in the search path. | |||||
| CVE-2023-41676 | 1 Fortinet | 1 Fortisiem | 2023-11-21 | N/A | 6.5 MEDIUM |
| An exposure of sensitive information to an unauthorized actor [CWE-200] in FortiSIEM version 7.0.0 and before 6.7.5 may allow an attacker with access to windows agent logs to obtain the windows agent password via searching through the logs. | |||||
| CVE-2023-36021 | 1 Microsoft | 1 On-prem Data Gateway | 2023-11-21 | N/A | 8.0 HIGH |
| Microsoft On-Prem Data Gateway Security Feature Bypass Vulnerability | |||||
| CVE-2023-36025 | 1 Microsoft | 13 Windows 10 1507, Windows 10 1607, Windows 10 1809 and 10 more | 2023-11-21 | N/A | 8.8 HIGH |
| Windows SmartScreen Security Feature Bypass Vulnerability | |||||
| CVE-2023-47657 | 1 Grandplugins | 1 Woo Quick View And Buy Now | 2023-11-21 | N/A | 4.8 MEDIUM |
| Auth. (ShopManager+) Stored Cross-Site Scripting (XSS) vulnerability in GrandPlugins Direct Checkout – Quick View – Buy Now For WooCommerce plugin <= 1.5.8 versions. | |||||
| CVE-2023-34375 | 1 10web | 1 Seo | 2023-11-21 | N/A | 6.1 MEDIUM |
| Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in 10Web SEO by 10Web plugin <= 1.2.9 versions. | |||||
| CVE-2023-32957 | 1 Dazzlersoft | 1 Team Members Showcase | 2023-11-21 | N/A | 4.8 MEDIUM |
| Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Dazzlersoft Team Members Showcase plugin <= 1.3.4 versions. | |||||
| CVE-2023-32796 | 1 Mingocommerce | 1 Woocommerce Product Enquiry | 2023-11-21 | N/A | 6.1 MEDIUM |
| Unauth. Stored Cross-Site Scripting (XSS) vulnerability in MingoCommerce WooCommerce Product Enquiry plugin <= 2.3.4 versions. | |||||
| CVE-2023-47512 | 1 Wphive | 1 Product Enquiry For Woocommerce | 2023-11-21 | N/A | 6.1 MEDIUM |
| Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Gravity Master Product Enquiry for WooCommerce plugin <= 3.0 versions. | |||||
| CVE-2023-47509 | 1 Ioannup | 1 Edit Woocommerce Templates | 2023-11-21 | N/A | 6.1 MEDIUM |
| Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in ioannup Edit WooCommerce Templates plugin <= 1.1.1 versions. | |||||
| CVE-2023-4689 | 1 Webtechstreet | 1 Elementor Addon Elements | 2023-11-21 | N/A | 4.3 MEDIUM |
| The Elementor Addon Elements plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.12.7. This is due to missing or incorrect nonce validation on the eae_save_elements function. This makes it possible for unauthenticated attackers to enable/disable elementor addon elements via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2023-48200 | 1 Grocy Project | 1 Grocy | 2023-11-21 | N/A | 5.4 MEDIUM |
| Cross Site Scripting vulnerability in Grocy v.4.0.3 allows a local attacker to execute arbitrary code and obtain sensitive information via the equipment description component within /equipment/ component. | |||||