Search
Total
201818 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-46619 | 1 Web-dorado | 1 Wdsocialwidgets | 2023-11-17 | N/A | 8.8 HIGH |
| Cross-Site Request Forgery (CSRF) vulnerability in WebDorado WDSocialWidgets plugin <= 1.0.15 versions. | |||||
| CVE-2023-26524 | 1 Expresstech | 1 Quiz And Survey Master | 2023-11-17 | N/A | 8.8 HIGH |
| Cross-Site Request Forgery (CSRF) vulnerability in ExpressTech Quiz And Survey Master – Best Quiz, Exam and Survey Plugin for WordPress plugin <= 8.0.10 versions. | |||||
| CVE-2023-26516 | 1 Wpindeed | 1 Debug Assistant | 2023-11-17 | N/A | 8.8 HIGH |
| Cross-Site Request Forgery (CSRF) vulnerability in WPIndeed Debug Assistant plugin <= 1.4 versions. | |||||
| CVE-2023-26518 | 1 Accesspressthemes | 1 Wp Tfeed | 2023-11-17 | N/A | 8.8 HIGH |
| Cross-Site Request Forgery (CSRF) vulnerability in AccessPress Themes WP TFeed plugin <= 1.6.9 versions. | |||||
| CVE-2023-26514 | 1 Wpgrim | 1 Dynamic Xml Sitemaps Generator For Google | 2023-11-17 | N/A | 8.8 HIGH |
| Cross-Site Request Forgery (CSRF) vulnerability in WPGrim Dynamic XML Sitemaps Generator for Google plugin <= 1.3.3 versions. | |||||
| CVE-2023-28420 | 1 Leocaseiro | 1 Custom Options Plus | 2023-11-17 | N/A | 8.8 HIGH |
| Cross-Site Request Forgery (CSRF) vulnerability in Leo Caseiro Custom Options Plus plugin <= 1.8.1 versions. | |||||
| CVE-2023-46733 | 1 Sensiolabs | 1 Symfony | 2023-11-16 | N/A | 6.5 MEDIUM |
| Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Starting in versions 5.4.21 and 6.2.7 and prior to versions 5.4.31 and 6.3.8, `SessionStrategyListener` does not migrate the session after every successful login. It does so only in case the logged in user changes by means of checking the user identifier. In some use cases, the user identifier doesn't change between the verification phase and the successful login, while the token itself changes from one type (partially-authenticated) to another (fully-authenticated). When this happens, the session id should be regenerated to prevent possible session fixations, which is not the case at the moment. As of versions 5.4.31 and 6.3.8, Symfony now checks the type of the token in addition to the user identifier before deciding whether the session id should be regenerated. | |||||
| CVE-2023-46207 | 1 Stylemixthemes | 1 Motors - Car Dealer\, Classifieds \& Listing | 2023-11-16 | N/A | 7.5 HIGH |
| Server-Side Request Forgery (SSRF) vulnerability in StylemixThemes Motors – Car Dealer, Classifieds & Listing.This issue affects Motors – Car Dealer, Classifieds & Listing: from n/a through 1.4.6. | |||||
| CVE-2023-47665 | 1 Plainviewplugins | 1 Plainview Protect Passwords | 2023-11-16 | N/A | 6.1 MEDIUM |
| Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in edward_plainview Plainview Protect Passwords plugin <= 1.4 versions. | |||||
| CVE-2023-47697 | 1 Wp-eventmanager | 1 Wp Event Manager | 2023-11-16 | N/A | 6.1 MEDIUM |
| Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in WP Event Manager WP Event Manager – Events Calendar, Registrations, Sell Tickets with WooCommerce plugin <= 3.1.39 versions. | |||||
| CVE-2023-47696 | 1 Gravitymaster | 1 Product Enquiry For Woocommerce | 2023-11-16 | N/A | 6.1 MEDIUM |
| Unauth. Stored Cross-Site Scripting (XSS) vulnerability in Gravity Master Product Enquiry for WooCommerce plugin <= 3.0 versions. | |||||
| CVE-2023-47695 | 1 Scribit | 1 Shortcodes Finder | 2023-11-16 | N/A | 6.1 MEDIUM |
| Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Scribit Shortcodes Finder plugin <= 1.5.3 versions. | |||||
| CVE-2023-46636 | 1 Blackbam | 1 Custom Header Images | 2023-11-16 | N/A | 8.8 HIGH |
| Cross-Site Request Forgery (CSRF) vulnerability in David Stöckl Custom Header Images plugin <= 1.2.1 versions. | |||||
| CVE-2023-46629 | 1 Themelocation | 1 Remove Add To Cart Woocommerce | 2023-11-16 | N/A | 8.8 HIGH |
| Cross-Site Request Forgery (CSRF) vulnerability in themelocation Remove Add to Cart WooCommerce plugin <= 1.4.4. | |||||
| CVE-2023-46625 | 1 Daext | 1 Autolinks Manager | 2023-11-16 | N/A | 8.8 HIGH |
| Cross-Site Request Forgery (CSRF) vulnerability in DAEXT Autolinks Manager plugin <= 1.10.04 versions. | |||||
| CVE-2023-46620 | 1 Fluenx | 1 Deepl Api Translation | 2023-11-16 | N/A | 8.8 HIGH |
| Cross-Site Request Forgery (CSRF) vulnerability in Fluenx DeepL API translation plugin <= 2.3.9.1 versions. | |||||
| CVE-2023-33207 | 1 Wielogorski | 1 Stop Referrer Spam | 2023-11-16 | N/A | 8.8 HIGH |
| Cross-Site Request Forgery (CSRF) vulnerability in Krzysztof Wielogórski Stop Referrer Spam plugin <= 1.3.0 versions. | |||||
| CVE-2023-32588 | 1 Brandbrilliance | 1 Post State Tags | 2023-11-16 | N/A | 8.8 HIGH |
| Cross-Site Request Forgery (CSRF) vulnerability in BRANDbrilliance Post State Tags plugin <= 2.0.6 versions. | |||||
| CVE-2023-32583 | 1 Walkeprashant | 1 Wp All Backup | 2023-11-16 | N/A | 8.8 HIGH |
| Cross-Site Request Forgery (CSRF) vulnerability in Prashant Walke WP All Backup plugin <= 2.4.3 versions. | |||||
| CVE-2023-47230 | 1 Cimatti | 1 Wordpress Contact Forms | 2023-11-16 | N/A | 8.8 HIGH |
| Cross-Site Request Forgery (CSRF) vulnerability in Cimatti Consulting WordPress Contact Forms by Cimatti plugin <= 1.6.0 versions. | |||||
| CVE-2023-46638 | 1 Webcodin | 1 Wcp Openweather | 2023-11-16 | N/A | 8.8 HIGH |
| Cross-Site Request Forgery (CSRF) vulnerability in Webcodin WCP OpenWeather plugin <= 2.5.0 versions. | |||||
| CVE-2023-34384 | 1 Kebo Twitter Feed Project | 1 Kebo Twitter Feed | 2023-11-16 | N/A | 8.8 HIGH |
| Cross-Site Request Forgery (CSRF) vulnerability in Kebo Kebo Twitter Feed plugin <= 1.5.12 versions. | |||||
| CVE-2023-34378 | 1 Scriptburn | 1 Wp Hide Post | 2023-11-16 | N/A | 8.8 HIGH |
| Cross-Site Request Forgery (CSRF) vulnerability in scriptburn.Com WP Hide Post plugin <= 2.0.10 versions. | |||||
| CVE-2023-28419 | 1 Strangerstudios | 1 Force Display Name | 2023-11-16 | N/A | 8.8 HIGH |
| Cross-Site Request Forgery (CSRF) vulnerability in Stranger Studios Force First and Last Name as Display Name plugin <= 1.2 versions. | |||||
| CVE-2023-46735 | 1 Sensiolabs | 1 Symfony | 2023-11-16 | N/A | 6.1 MEDIUM |
| Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Starting in version 6.0.0 and prior to version 6.3.8, the error message in `WebhookController` returns unescaped user-submitted input. As of version 6.3.8, `WebhookController` now doesn't return any user-submitted input in its response. | |||||
| CVE-2023-43057 | 1 Ibm | 1 Qradar Security Information And Event Manager | 2023-11-16 | N/A | 5.4 MEDIUM |
| IBM QRadar SIEM 7.5.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 267484. | |||||
| CVE-2023-6069 | 1 Froxlor | 1 Froxlor | 2023-11-16 | N/A | 8.8 HIGH |
| Improper Link Resolution Before File Access in GitHub repository froxlor/froxlor prior to 2.1.0. | |||||
| CVE-2022-45835 | 1 Phonepe | 1 Phonepe | 2023-11-16 | N/A | 7.5 HIGH |
| Server-Side Request Forgery (SSRF) vulnerability in PhonePe PhonePe Payment Solutions.This issue affects PhonePe Payment Solutions: from n/a through 1.0.15. | |||||
| CVE-2023-38364 | 2 Ibm, Linux | 2 Cics Tx, Linux Kernel | 2023-11-16 | N/A | 6.1 MEDIUM |
| IBM CICS TX Advanced 10.1 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 260821. | |||||
| CVE-2023-5901 | 1 Sfu | 1 Pkp Web Application Library | 2023-11-16 | N/A | 4.8 MEDIUM |
| Cross-site Scripting in GitHub repository pkp/pkp-lib prior to 3.3.0-16. | |||||
| CVE-2023-5900 | 1 Sfu | 1 Pkp Web Application Library | 2023-11-16 | N/A | 5.4 MEDIUM |
| Cross-Site Request Forgery in GitHub repository pkp/pkp-lib prior to 3.3.0-16. | |||||
| CVE-2023-46729 | 1 Sentry | 1 Sentry Software Development Kit | 2023-11-16 | N/A | 6.1 MEDIUM |
| sentry-javascript provides Sentry SDKs for JavaScript. An unsanitized input of Next.js SDK tunnel endpoint allows sending HTTP requests to arbitrary URLs and reflecting the response back to the user. This issue only affects users who have Next.js SDK tunneling feature enabled. The problem has been fixed in version 7.77.0. | |||||
| CVE-2023-36027 | 1 Microsoft | 1 Edge Chromium | 2023-11-16 | N/A | 6.3 MEDIUM |
| Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability | |||||
| CVE-2023-47119 | 1 Discourse | 1 Discourse | 2023-11-16 | N/A | 6.1 MEDIUM |
| Discourse is an open source platform for community discussion. Prior to version 3.1.3 of the `stable` branch and version 3.2.0.beta3 of the `beta` and `tests-passed` branches, some links can inject arbitrary HTML tags when rendered through our Onebox engine. The issue is patched in version 3.1.3 of the `stable` branch and version 3.2.0.beta3 of the `beta` and `tests-passed` branches. There are no known workarounds. | |||||
| CVE-2023-46130 | 1 Discourse | 1 Discourse | 2023-11-16 | N/A | 5.4 MEDIUM |
| Discourse is an open source platform for community discussion. Prior to version 3.1.3 of the `stable` branch and version 3.2.0.beta3 of the `beta` and `tests-passed` branches, some theme components allow users to add svgs with unlimited `height` attributes, and this can affect the availability of subsequent replies in a topic. Most Discourse instances are unaffected, only instances with the svgbob or the mermaid theme component are within scope. The issue is patched in version 3.1.3 of the `stable` branch and version 3.2.0.beta3 of the `beta` and `tests-passed` branches. As a workaround, disable or remove the relevant theme components. | |||||
| CVE-2023-45816 | 1 Discourse | 1 Discourse | 2023-11-16 | N/A | 3.3 LOW |
| Discourse is an open source platform for community discussion. Prior to version 3.1.3 of the `stable` branch and version 3.2.0.beta3 of the `beta` and `tests-passed` branches, there is an edge case where a bookmark reminder is sent and an unread notification is generated, but the underlying bookmarkable (e.g. post, topic, chat message) security has changed, making it so the user can no longer access the underlying resource. As of version 3.1.3 of the `stable` branch and version 3.2.0.beta3 of the `beta` and `tests-passed` branches, bookmark reminders are now no longer sent if the user does not have access to the underlying bookmarkable, and also the unread bookmark notifications are always filtered by access. There are no known workarounds. | |||||
| CVE-2023-29975 | 1 Pfsense | 1 Pfsense | 2023-11-16 | N/A | 7.2 HIGH |
| An issue discovered in Pfsense CE version 2.6.0 allows attackers to change the password of any user without verification. | |||||
| CVE-2023-28173 | 1 Digitalinspiration | 1 Google Xml Sitemap For Images | 2023-11-16 | N/A | 8.8 HIGH |
| Cross-Site Request Forgery (CSRF) vulnerability in Amit Agarwal Google XML Sitemap for Images plugin <= 2.1.3 versions. | |||||
| CVE-2023-4379 | 1 Gitlab | 1 Gitlab | 2023-11-16 | N/A | 7.5 HIGH |
| An issue has been discovered in GitLab EE affecting all versions starting from 15.3 prior to 16.2.8, 16.3 prior to 16.3.5, and 16.4 prior to 16.4.1. Code owner approval was not removed from merge requests when the target branch was updated. | |||||
| CVE-2023-39796 | 1 Wbce | 1 Wbce Cms | 2023-11-16 | N/A | 9.8 CRITICAL |
| SQL injection vulnerability in the miniform module in WBCE CMS v.1.6.0 allows remote unauthenticated attacker to execute arbitrary code via the DB_RECORD_TABLE parameter. | |||||
| CVE-2023-45167 | 1 Ibm | 2 Aix, Vios | 2023-11-16 | N/A | 5.5 MEDIUM |
| IBM AIX's 7.3 Python implementation could allow a non-privileged local user to exploit a vulnerability to cause a denial of service. IBM X-Force ID: 267965. | |||||
| CVE-2023-5549 | 2 Fedoraproject, Moodle | 3 Extra Packages For Enterprise Linux, Fedora, Moodle | 2023-11-16 | N/A | 5.3 MEDIUM |
| Insufficient web service capability checks made it possible to move categories a user had permission to manage, to a parent category they did not have the capability to manage. | |||||
| CVE-2023-5548 | 2 Fedoraproject, Moodle | 3 Extra Packages For Enterprise Linux, Fedora, Moodle | 2023-11-16 | N/A | 5.3 MEDIUM |
| Stronger revision number limitations were required on file serving endpoints to improve cache poisoning protection. | |||||
| CVE-2023-5545 | 2 Fedoraproject, Moodle | 3 Extra Packages For Enterprise Linux, Fedora, Moodle | 2023-11-16 | N/A | 5.3 MEDIUM |
| H5P metadata automatically populated the author with the user's username, which could be sensitive information. | |||||
| CVE-2023-5542 | 2 Fedoraproject, Moodle | 3 Extra Packages For Enterprise Linux, Fedora, Moodle | 2023-11-16 | N/A | 4.3 MEDIUM |
| Students in "Only see own membership" groups could see other students in the group, which should be hidden. | |||||
| CVE-2023-5540 | 2 Fedoraproject, Moodle | 3 Extra Packages For Enterprise Linux, Fedora, Moodle | 2023-11-16 | N/A | 8.8 HIGH |
| A remote code execution risk was identified in the IMSCP activity. By default this was only available to teachers and managers. | |||||
| CVE-2023-45140 | 1 Ovh | 1 The-bastion | 2023-11-16 | N/A | 4.6 MEDIUM |
| The Bastion provides authentication, authorization, traceability and auditability for SSH accesses. SCP and SFTP plugins don't honor group-based JIT MFA. Establishing a SCP/SFTP connection through The Bastion via a group access where MFA is enforced does not ask for additional factor. This abnormal behavior only applies to per-group-based JIT MFA. Other MFA setup types, such as Immediate MFA, JIT MFA on a per-plugin basis and JIT MFA on a per-account basis are not affected. This issue has been patched in version 3.14.15. | |||||
| CVE-2023-32966 | 1 Crudlab | 1 Jazz Popups | 2023-11-16 | N/A | 6.1 MEDIUM |
| Cross-Site Request Forgery (CSRF) vulnerability in CRUDLab Jazz Popups leads to Stored XSS.This issue affects Jazz Popups: from n/a through 1.8.7. | |||||
| CVE-2023-5539 | 2 Fedoraproject, Moodle | 3 Extra Packages For Enterprise Linux, Fedora, Moodle | 2023-11-16 | N/A | 8.8 HIGH |
| A remote code execution risk was identified in the Lesson activity. By default this was only available to teachers and managers. | |||||
| CVE-2023-47516 | 1 Starkdigital | 1 Category Post List Widget | 2023-11-16 | N/A | 6.1 MEDIUM |
| Cross-Site Request Forgery (CSRF) vulnerability in Stark Digital Category Post List Widget allows Stored XSS.This issue affects Category Post List Widget: from n/a through 2.0. | |||||