Search
Total
201818 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2018-8863 | 1 Philips | 1 Encoreanywhere | 2023-11-17 | N/A | 7.5 HIGH |
| The HTTP header in Philips EncoreAnywhere contains data an attacker may be able to use to gain sensitive information. | |||||
| CVE-2023-45806 | 1 Discourse | 1 Discourse | 2023-11-17 | N/A | 5.4 MEDIUM |
| Discourse is an open source platform for community discussion. Prior to version 3.1.3 of the `stable` branch and version 3.2.0.beta3 of the `beta` and `tests-passed` branches, if a user has been quoted and uses a `|` in their full name, they might be able to trigger a bug that generates a lot of duplicate content in all the posts they've been quoted by updating their full name again. Version 3.1.3 of the `stable` branch and version 3.2.0.beta3 of the `beta` and `tests-passed` branches contain a patch for this issue. No known workaround exists, although one can stop the "bleeding" by ensuring users only use alphanumeric characters in their full name field. | |||||
| CVE-2023-6126 | 1 Salesagility | 1 Suitecrm | 2023-11-17 | N/A | 9.8 CRITICAL |
| Code Injection in GitHub repository salesagility/suitecrm prior to 7.14.2, 7.12.14, 8.4.2. | |||||
| CVE-2023-6127 | 1 Salesagility | 1 Suitecrm | 2023-11-17 | N/A | 5.4 MEDIUM |
| Unrestricted Upload of File with Dangerous Type in GitHub repository salesagility/suitecrm prior to 7.14.2, 7.12.14, 8.4.2. | |||||
| CVE-2023-31247 | 2 Silabs, Weston-embedded | 3 Gecko Software Development Kit, Cesium Net, Uc-http | 2023-11-17 | N/A | 9.8 CRITICAL |
| A memory corruption vulnerability exists in the HTTP Server Host header parsing functionality of Weston Embedded uC-HTTP v3.01.01. A specially crafted network packet can lead to code execution. An attacker can send a malicious packet to trigger this vulnerability. | |||||
| CVE-2023-45881 | 1 Gibbonedu | 1 Gibbon | 2023-11-17 | N/A | 6.1 MEDIUM |
| GibbonEdu Gibbon through version 25.0.0 allows /modules/Planner/resources_addQuick_ajaxProcess.php file upload with resultant XSS. The imageAsLinks parameter must be set to Y to return HTML code. The filename attribute of the bodyfile1 parameter is reflected in the response. | |||||
| CVE-2023-6128 | 1 Salesagility | 1 Suitecrm | 2023-11-17 | N/A | 5.4 MEDIUM |
| Cross-site Scripting (XSS) - Reflected in GitHub repository salesagility/suitecrm prior to 7.14.2, 7.12.14, 8.4.2. | |||||
| CVE-2023-26156 | 1 Chromedriver Project | 1 Chromedriver | 2023-11-17 | N/A | 7.5 HIGH |
| Versions of the package chromedriver before 119.0.1 are vulnerable to Command Injection when setting the chromedriver.path to an arbitrary system binary. This could lead to unauthorized access and potentially malicious actions on the host system. **Note:** An attacker must have access to the system running the vulnerable chromedriver library to exploit it. The success of exploitation also depends on the permissions and privileges of the process running chromedriver. | |||||
| CVE-2023-46492 | 1 Mldb | 1 Machine Learning Database | 2023-11-17 | N/A | 6.1 MEDIUM |
| Cross Site Scripting vulnerability in MLDB.ai v.2017.04.17.0 allows a remote attacker to execute arbitrary code via a crafted payload to the public_html/doc/index.html. | |||||
| CVE-2023-4612 | 1 Apereo | 1 Central Authentication Service | 2023-11-17 | N/A | 9.8 CRITICAL |
| Improper Authentication vulnerability in Apereo CAS in jakarta.servlet.http.HttpServletRequest.getRemoteAddr method allows Multi-Factor Authentication bypass.This issue affects CAS: through 7.0.0-RC7. It is unknown whether in new versions the issue will be fixed. For the date of publication there is no patch, and the vendor does not treat it as a vulnerability. | |||||
| CVE-2022-41076 | 1 Microsoft | 11 Powershell, Windows 10, Windows 11 and 8 more | 2023-11-17 | N/A | 8.5 HIGH |
| PowerShell Remote Code Execution Vulnerability | |||||
| CVE-2022-41089 | 1 Microsoft | 11 .net Framework, Windows 10, Windows 11 and 8 more | 2023-11-17 | N/A | 7.8 HIGH |
| .NET Framework Remote Code Execution Vulnerability | |||||
| CVE-2022-44689 | 1 Microsoft | 5 Windows 10, Windows 11, Windows Server 2019 and 2 more | 2023-11-17 | N/A | 7.8 HIGH |
| Windows Subsystem for Linux (WSL2) Kernel Elevation of Privilege Vulnerability | |||||
| CVE-2022-41121 | 1 Microsoft | 12 Powershell, Remote Desktop, Windows 10 and 9 more | 2023-11-17 | N/A | 7.8 HIGH |
| Windows Graphics Component Elevation of Privilege Vulnerability | |||||
| CVE-2022-44702 | 1 Microsoft | 3 Terminal, Windows 10, Windows 11 | 2023-11-17 | N/A | 7.8 HIGH |
| Windows Terminal Remote Code Execution Vulnerability | |||||
| CVE-2022-44704 | 1 Microsoft | 1 Windows Sysmon | 2023-11-17 | N/A | 7.8 HIGH |
| Microsoft Windows System Monitor (Sysmon) Elevation of Privilege Vulnerability | |||||
| CVE-2023-24585 | 2 Silabs, Weston-embedded | 3 Gecko Software Development Kit, Cesium Net, Uc-http | 2023-11-17 | N/A | 9.8 CRITICAL |
| An out-of-bounds write vulnerability exists in the HTTP Server functionality of Weston Embedded uC-HTTP v3.01.01. A specially crafted network packet can lead to memory corruption. An attacker can send a network request to trigger this vulnerability. | |||||
| CVE-2022-28143 | 1 Jenkins | 1 Proxmox | 2023-11-17 | 4.0 MEDIUM | 6.5 MEDIUM |
| A cross-site request forgery (CSRF) vulnerability in Jenkins Proxmox Plugin 0.7.0 and earlier allows attackers to connect to an attacker-specified host using attacker-specified username and password (perform a connection test), disable SSL/TLS validation for the entire Jenkins controller JVM as part of the connection test (see CVE-2022-28142), and test a rollback with attacker-specified parameters. | |||||
| CVE-2022-28142 | 1 Jenkins | 1 Proxmox | 2023-11-17 | 4.3 MEDIUM | 7.5 HIGH |
| Jenkins Proxmox Plugin 0.6.0 and earlier disables SSL/TLS certificate validation globally for the Jenkins controller JVM when configured to ignore SSL/TLS issues. | |||||
| CVE-2022-28141 | 1 Jenkins | 1 Proxmox | 2023-11-17 | 4.0 MEDIUM | 6.5 MEDIUM |
| Jenkins Proxmox Plugin 0.5.0 and earlier stores the Proxmox Datacenter password unencrypted in the global config.xml file on the Jenkins controller where it can be viewed by users with access to the Jenkins controller file system. | |||||
| CVE-2022-28140 | 1 Jenkins | 1 Flaky Test Handler | 2023-11-17 | 5.5 MEDIUM | 8.1 HIGH |
| Jenkins Flaky Test Handler Plugin 1.2.1 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. | |||||
| CVE-2022-28139 | 1 Jenkins | 1 Rocketchat Notifier | 2023-11-17 | 4.0 MEDIUM | 4.3 MEDIUM |
| A missing permission check in Jenkins RocketChat Notifier Plugin 1.4.10 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials. | |||||
| CVE-2022-28138 | 1 Jenkins | 1 Rocketchat Notifier | 2023-11-17 | 4.3 MEDIUM | 4.3 MEDIUM |
| A cross-site request forgery (CSRF) vulnerability in Jenkins RocketChat Notifier Plugin 1.4.10 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credential. | |||||
| CVE-2022-29043 | 1 Jenkins | 1 Mask Passwords | 2023-11-17 | 3.5 LOW | 5.4 MEDIUM |
| Jenkins Mask Passwords Plugin 3.0 and earlier does not escape the name and description of Non-Stored Password parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission. | |||||
| CVE-2022-29042 | 1 Jenkins | 1 Job Generator | 2023-11-17 | 3.5 LOW | 5.4 MEDIUM |
| Jenkins Job Generator Plugin 1.22 and earlier does not escape the name and description of Generator Parameter and Generator Choice parameters on Job Generator jobs' Build With Parameters views, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission. | |||||
| CVE-2022-29041 | 1 Jenkins | 1 Jira | 2023-11-17 | 3.5 LOW | 5.4 MEDIUM |
| Jenkins Jira Plugin 3.7 and earlier, except 3.6.1, does not escape the name and description of Jira Issue and Jira Release Version parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission. | |||||
| CVE-2022-28148 | 2 Jenkins, Microsoft | 2 Continuous Integration With Toad Edge, Windows | 2023-11-17 | 4.0 MEDIUM | 6.5 MEDIUM |
| The file browser in Jenkins Continuous Integration with Toad Edge Plugin 2.3 and earlier may interpret some paths to files as absolute on Windows, resulting in a path traversal vulnerability allowing attackers with Item/Read permission to obtain the contents of arbitrary files on Windows controllers. | |||||
| CVE-2022-28147 | 1 Jenkins | 1 Continuous Integration With Toad Edge | 2023-11-17 | 4.0 MEDIUM | 4.3 MEDIUM |
| A missing permission check in Jenkins Continuous Integration with Toad Edge Plugin 2.3 and earlier allows attackers with Overall/Read permission to check for the existence of an attacker-specified file path on the Jenkins controller file system. | |||||
| CVE-2022-29040 | 1 Jenkins | 1 Git Parameter | 2023-11-17 | 3.5 LOW | 5.4 MEDIUM |
| Jenkins Git Parameter Plugin 0.9.15 and earlier does not escape the name and description of Git parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission. | |||||
| CVE-2022-28146 | 1 Jenkins | 1 Continuous Integration With Toad Edge | 2023-11-17 | 4.0 MEDIUM | 6.5 MEDIUM |
| Jenkins Continuous Integration with Toad Edge Plugin 2.3 and earlier allows attackers with Item/Configure permission to read arbitrary files on the Jenkins controller by specifying an input folder on the Jenkins controller as a parameter to its build steps. | |||||
| CVE-2022-28145 | 1 Jenkins | 1 Continuous Integration With Toad Edge | 2023-11-17 | 3.5 LOW | 5.4 MEDIUM |
| Jenkins Continuous Integration with Toad Edge Plugin 2.3 and earlier does not apply Content-Security-Policy headers to report files it serves, resulting in a stored cross-site scripting (XSS) exploitable by attackers with Item/Configure permission or otherwise able to control report contents. | |||||
| CVE-2022-28144 | 1 Jenkins | 1 Proxmox | 2023-11-17 | 4.0 MEDIUM | 6.5 MEDIUM |
| Jenkins Proxmox Plugin 0.7.0 and earlier does not perform a permission check in several HTTP endpoints, allowing attackers with Overall/Read permission to connect to an attacker-specified host using attacker-specified username and password (perform a connection test), disable SSL/TLS validation for the entire Jenkins controller JVM as part of the connection test (see CVE-2022-28142), and test a rollback with attacker-specified parameters. | |||||
| CVE-2022-29039 | 1 Jenkins | 1 Gerrit Trigger | 2023-11-17 | 3.5 LOW | 5.4 MEDIUM |
| Jenkins Gerrit Trigger Plugin 2.35.2 and earlier does not escape the name and description of Base64 Encoded String parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission. | |||||
| CVE-2022-29038 | 1 Jenkins | 1 Extended Choice Parameter | 2023-11-17 | 3.5 LOW | 5.4 MEDIUM |
| Jenkins Extended Choice Parameter Plugin 346.vd87693c5a_86c and earlier does not escape the name and description of Extended Choice parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission. | |||||
| CVE-2022-29037 | 1 Jenkins | 1 Cvs | 2023-11-17 | 3.5 LOW | 5.4 MEDIUM |
| Jenkins CVS Plugin 2.19 and earlier does not escape the name and description of CVS Symbolic Name parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission. | |||||
| CVE-2022-29036 | 1 Jenkins | 1 Credentials | 2023-11-17 | 3.5 LOW | 5.4 MEDIUM |
| Jenkins Credentials Plugin 1111.v35a_307992395 and earlier, except 1087.1089.v2f1b_9a_b_040e4, 1074.1076.v39c30cecb_0e2, and 2.6.1.1, does not escape the name and description of Credentials parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission. | |||||
| CVE-2023-47129 | 1 Statamic | 1 Statamic | 2023-11-17 | N/A | 9.8 CRITICAL |
| Statmic is a core Laravel content management system Composer package. Prior to versions 3.4.13 and 4.33.0, on front-end forms with an asset upload field, PHP files crafted to look like images may be uploaded. This only affects forms using the "Forms" feature and not just _any_ arbitrary form. This does not affect the control panel. This issue has been patched in 3.4.13 and 4.33.0. | |||||
| CVE-2023-5959 | 1 Byzoro | 2 Smart S85f, Smart S85f Firmware | 2023-11-17 | N/A | 4.3 MEDIUM |
| A vulnerability, which was classified as problematic, was found in Beijing Baichuo Smart S85F Management Platform V31R02B10-01. Affected is an unknown function of the file /login.php. The manipulation of the argument txt_newpwd leads to weak password recovery. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-244992. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2023-5551 | 2 Fedoraproject, Moodle | 3 Extra Packages For Enterprise Linux, Fedora, Moodle | 2023-11-17 | N/A | 3.3 LOW |
| Separate Groups mode restrictions were not honoured in the forum summary report, which would display users from other groups. | |||||
| CVE-2023-40054 | 1 Solarwinds | 1 Network Configuration Manager | 2023-11-17 | N/A | 8.8 HIGH |
| The Network Configuration Manager was susceptible to a Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows a low-level user to perform the actions with SYSTEM privileges. We found this issue was not resolved in CVE-2023-33226 | |||||
| CVE-2023-40055 | 1 Solarwinds | 1 Network Configuration Manager | 2023-11-17 | N/A | 8.8 HIGH |
| The Network Configuration Manager was susceptible to a Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows a low-level user to perform the actions with SYSTEM privileges. We found this issue was not resolved in CVE-2023-33227 | |||||
| CVE-2023-46743 | 1 Xwiki | 1 Application-collabora | 2023-11-17 | N/A | 4.3 MEDIUM |
| application-collabora is an integration of Collabora Online in XWiki. As part of the application use cases, depending on the rights that a user has over a document, they should be able to open the office attachments files in view or edit mode. Currently, if a user opens an attachment file in edit mode in collabora, this right will be preserved for all future users, until the editing session is closes, even if some of them have only view right. Collabora server is the one issuing this request and it seems that the `userCanWrite` query parameter is cached, even if, for example, token is not. This issue has been patched in version 1.3. | |||||
| CVE-2023-45284 | 2 Golang, Microsoft | 2 Go, Windows | 2023-11-17 | N/A | 5.3 MEDIUM |
| On Windows, The IsLocal function does not correctly detect reserved device names in some cases. Reserved names followed by spaces, such as "COM1 ", and reserved names "COM" and "LPT" followed by superscript 1, 2, or 3, are incorrectly reported as local. With fix, IsLocal now correctly reports these names as non-local. | |||||
| CVE-2023-5550 | 2 Fedoraproject, Moodle | 3 Extra Packages For Enterprise Linux, Fedora, Moodle | 2023-11-17 | N/A | 9.8 CRITICAL |
| In a shared hosting environment that has been misconfigured to allow access to other users' content, a Moodle user who also has direct access to the web server outside of the Moodle webroot could utilise a local file include to achieve remote code execution. | |||||
| CVE-2023-4603 | 1 Star-emea | 1 Star Cloudprnt For Woocommerce | 2023-11-17 | N/A | 6.1 MEDIUM |
| The Star CloudPRNT for WooCommerce plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'printersettings' parameter in versions up to, and including, 2.0.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | |||||
| CVE-2023-45558 | 1 Golden Project | 1 Golden | 2023-11-17 | N/A | 7.5 HIGH |
| An issue in Golden v.13.6.1 allows attackers to send crafted notifications via leakage of the channel access token. | |||||
| CVE-2023-45560 | 1 Memberscard Project | 1 Memberscard | 2023-11-17 | N/A | 7.5 HIGH |
| An issue in Yasukawa memberscard v.13.6.1 allows attackers to send crafted notifications via leakage of the channel access token. | |||||
| CVE-2023-46025 | 1 Phpgurukul | 1 Teacher Subject Allocation Management System | 2023-11-17 | N/A | 4.9 MEDIUM |
| SQL Injection vulnerability in teacher-info.php in phpgurukul Teacher Subject Allocation Management System 1.0 allows attackers to obtain sensitive information via the 'editid' parameter. | |||||
| CVE-2023-46024 | 1 Phpgurukul | 1 Teacher Subject Allocation Management System | 2023-11-17 | N/A | 7.5 HIGH |
| SQL Injection vulnerability in index.php in phpgurukul Teacher Subject Allocation Management System 1.0 allows attackers to run arbitrary SQL commands and obtain sensitive information via the 'searchdata' parameter. | |||||
| CVE-2023-46023 | 1 Code-projects | 1 Simple Task List | 2023-11-17 | N/A | 6.5 MEDIUM |
| SQL injection vulnerability in addTask.php in Code-Projects Simple Task List 1.0 allows attackers to obtain sensitive information via the 'status' parameter. | |||||