Search
Total
201818 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-46634 | 1 Phoeniixx | 1 Custom My Account For Woocommerce | 2023-11-16 | N/A | 6.1 MEDIUM |
| Cross-Site Request Forgery (CSRF) vulnerability in phoeniixx Custom My Account for Woocommerce allows Cross-Site Scripting (XSS).This issue affects Custom My Account for Woocommerce: from n/a through 2.1. | |||||
| CVE-2023-47163 | 1 Remarshal Project | 1 Remarshal | 2023-11-16 | N/A | 7.5 HIGH |
| Remarshal prior to v0.17.1 expands YAML alias nodes unlimitedly, hence Remarshal is vulnerable to Billion Laughs Attack. Processing untrusted YAML files may cause a denial-of-service (DoS) condition. | |||||
| CVE-2023-46201 | 1 Auto Login New User After Registration Project | 1 Auto Login New User After Registration | 2023-11-16 | N/A | 6.1 MEDIUM |
| Cross-Site Request Forgery (CSRF) vulnerability in Jeff Sherk Auto Login New User After Registration allows Stored XSS.This issue affects Auto Login New User After Registration: from n/a through 1.9.6. | |||||
| CVE-2023-47652 | 1 Autoaffiliatelinks | 1 Auto Affiliate Links | 2023-11-16 | N/A | 6.1 MEDIUM |
| Cross-Site Request Forgery (CSRF) vulnerability in Lucian Apostol Auto Affiliate Links allows Stored XSS.This issue affects Auto Affiliate Links: from n/a through 6.4.2.4. | |||||
| CVE-2023-35877 | 1 Vadimk | 1 Extra User Details | 2023-11-16 | N/A | 6.1 MEDIUM |
| Cross-Site Request Forgery (CSRF) vulnerability in Vadym K. Extra User Details allows Stored XSS.This issue affects Extra User Details: from n/a through 0.5. | |||||
| CVE-2023-41285 | 1 Qnap | 1 Qumagie | 2023-11-16 | N/A | 8.8 HIGH |
| A SQL injection vulnerability has been reported to affect QuMagie. If exploited, the vulnerability could allow authenticated users to inject malicious code via a network. We have already fixed the vulnerability in the following version: QuMagie 2.1.4 and later | |||||
| CVE-2023-45077 | 1 Lenovo | 122 Ideacentre 3-07ada05, Ideacentre 3-07ada05 Firmware, Ideacentre 3-07imb05 and 119 more | 2023-11-16 | N/A | 6.7 MEDIUM |
| A memory leakage vulnerability was reported in the 534D0740 DXE driver that may allow a local attacker with elevated privileges to write to NVRAM variables. | |||||
| CVE-2023-45078 | 1 Lenovo | 122 Ideacentre 3-07ada05, Ideacentre 3-07ada05 Firmware, Ideacentre 3-07imb05 and 119 more | 2023-11-16 | N/A | 6.7 MEDIUM |
| A memory leakage vulnerability was reported in the DustFilterAlertSmm SMM driver that may allow a local attacker with elevated privileges to write to NVRAM variables. | |||||
| CVE-2023-5078 | 1 Lenovo | 40 Thinkpad L13 Gen 2, Thinkpad L13 Gen 2 Firmware, Thinkpad L13 Gen 3 and 37 more | 2023-11-16 | N/A | 6.7 MEDIUM |
| A vulnerability was reported in some ThinkPad BIOS that could allow a physical or local attacker with elevated privileges to tamper with BIOS firmware. | |||||
| CVE-2023-5075 | 1 Lenovo | 2 Ideapad Duet 3 10igl5, Ideapad Duet 3 10igl5 Firmware | 2023-11-16 | N/A | 6.7 MEDIUM |
| A buffer overflow was reported in the FmpSipoCapsuleDriver driver in the IdeaPad Duet 3-10IGL5 that may allow a local attacker with elevated privileges to execute arbitrary code. | |||||
| CVE-2023-4891 | 2 Lenovo, Microsoft | 2 View Driver, Windows | 2023-11-16 | N/A | 5.5 MEDIUM |
| A potential use-after-free vulnerability was reported in the Lenovo View driver that could result in denial of service. | |||||
| CVE-2023-6039 | 1 Linux | 1 Linux Kernel | 2023-11-16 | N/A | 5.5 MEDIUM |
| A use-after-free flaw was found in lan78xx_disconnect in drivers/net/usb/lan78xx.c in the network sub-component, net/usb/lan78xx in the Linux Kernel. This flaw allows a local attacker to crash the system when the LAN78XX USB device detaches. | |||||
| CVE-2023-39295 | 1 Qnap | 1 Qumagie | 2023-11-16 | N/A | 8.8 HIGH |
| An OS command injection vulnerability has been reported to affect QuMagie. If exploited, the vulnerability could allow authenticated users to execute commands via a network. We have already fixed the vulnerability in the following version: QuMagie 2.1.3 and later | |||||
| CVE-2023-6075 | 1 Phpgurukul | 1 Restaurant Table Booking System | 2023-11-16 | N/A | 6.1 MEDIUM |
| A vulnerability classified as problematic has been found in PHPGurukul Restaurant Table Booking System 1.0. Affected is an unknown function of the file index.php of the component Reservation Request Handler. The manipulation leads to cross site scripting. It is possible to launch the attack remotely. The identifier of this vulnerability is VDB-244944. | |||||
| CVE-2023-6074 | 1 Phpgurukul | 1 Restaurant Table Booking System | 2023-11-16 | N/A | 9.8 CRITICAL |
| A vulnerability was found in PHPGurukul Restaurant Table Booking System 1.0. It has been rated as critical. This issue affects some unknown processing of the file check-status.php of the component Booking Reservation Handler. The manipulation leads to sql injection. The attack may be initiated remotely. The associated identifier of this vulnerability is VDB-244943. | |||||
| CVE-2023-47164 | 1 Digitaldruid | 1 Hoteldruid | 2023-11-16 | N/A | 6.1 MEDIUM |
| Cross-site scripting vulnerability in HOTELDRUID 3.0.5 and earlier allows a remote unauthenticated attacker to execute an arbitrary script on the web browser of the user who is logging in to the product. | |||||
| CVE-2023-41284 | 1 Qnap | 1 Qumagie | 2023-11-16 | N/A | 8.8 HIGH |
| A SQL injection vulnerability has been reported to affect QuMagie. If exploited, the vulnerability could allow authenticated users to inject malicious code via a network. We have already fixed the vulnerability in the following version: QuMagie 2.1.4 and later | |||||
| CVE-2023-31077 | 1 Myrecorp | 1 Export Wp Page To Static Html\/css | 2023-11-16 | N/A | 8.8 HIGH |
| Cross-Site Request Forgery (CSRF) vulnerability in ReCorp Export WP Page to Static HTML/CSS plugin <= 2.1.9 versions. | |||||
| CVE-2023-6076 | 1 Phpgurukul | 1 Restaurant Table Booking System | 2023-11-16 | N/A | 7.5 HIGH |
| A vulnerability classified as problematic was found in PHPGurukul Restaurant Table Booking System 1.0. Affected by this vulnerability is an unknown functionality of the file booking-details.php of the component Reservation Status Handler. The manipulation of the argument bid leads to information disclosure. The attack can be launched remotely. The identifier VDB-244945 was assigned to this vulnerability. | |||||
| CVE-2023-47614 | 1 Telit | 20 Bgs5, Bgs5 Firmware, Ehs5 and 17 more | 2023-11-16 | N/A | 3.3 LOW |
| A CWE-200: Exposure of Sensitive Information to an Unauthorized Actor vulnerability exists in Telit Cinterion BGS5, Telit Cinterion EHS5/6/8, Telit Cinterion PDS5/6/8, Telit Cinterion ELS61/81, Telit Cinterion PLS62 that could allow a local, low privileged attacker to disclose hidden virtual paths and file names on the targeted system. | |||||
| CVE-2023-47611 | 1 Telit | 20 Bgs5, Bgs5 Firmware, Ehs5 and 17 more | 2023-11-16 | N/A | 7.8 HIGH |
| A CWE-269: Improper Privilege Management vulnerability exists in Telit Cinterion BGS5, Telit Cinterion EHS5/6/8, Telit Cinterion PDS5/6/8, Telit Cinterion ELS61/81, Telit Cinterion PLS62 that could allow a local, low privileged attacker to elevate privileges to "manufacturer" level on the targeted system. | |||||
| CVE-2023-47122 | 1 Sigstore | 1 Gitsign | 2023-11-16 | N/A | 5.3 MEDIUM |
| Gitsign is software for keyless Git signing using Sigstore. In versions of gitsign starting with 0.6.0 and prior to 0.8.0, Rekor public keys were fetched via the Rekor API, instead of through the local TUF client. If the upstream Rekor server happened to be compromised, gitsign clients could potentially be tricked into trusting incorrect signatures. There is no known compromise the default public good instance (`rekor.sigstore.dev`) - anyone using this instance is unaffected. This issue was fixed in v0.8.0. No known workarounds are available. | |||||
| CVE-2023-45079 | 1 Lenovo | 122 Ideacentre 3-07ada05, Ideacentre 3-07ada05 Firmware, Ideacentre 3-07imb05 and 119 more | 2023-11-16 | N/A | 6.7 MEDIUM |
| A memory leakage vulnerability was reported in the NvmramSmm SMM driver that may allow a local attacker with elevated privileges to write to NVRAM variables. | |||||
| CVE-2023-4804 | 1 Johnsoncontrols | 12 Quantum Hd Unity Acuair, Quantum Hd Unity Acuair Firmware, Quantum Hd Unity Compressor and 9 more | 2023-11-16 | N/A | 9.8 CRITICAL |
| An unauthorized user could access debug features in Quantum HD Unity products that were accidentally exposed. | |||||
| CVE-2023-28694 | 1 Wbcomdesigns | 1 Buddypress Activity Social Share | 2023-11-16 | N/A | 8.8 HIGH |
| Cross-Site Request Forgery (CSRF) vulnerability in Wbcom Designs Wbcom Designs – BuddyPress Activity Social Share plugin <= 3.5.0 versions. | |||||
| CVE-2023-28618 | 1 Infolific | 1 Enhanced Plugin Admin | 2023-11-16 | N/A | 8.8 HIGH |
| Cross-Site Request Forgery (CSRF) vulnerability in Marios Alexandrou Enhanced Plugin Admin plugin <= 1.16 versions. | |||||
| CVE-2023-28696 | 1 Themeist | 1 I Recommend This | 2023-11-16 | N/A | 8.8 HIGH |
| Cross-Site Request Forgery (CSRF) vulnerability in Harish Chouhan, Themeist I Recommend Tplugin <= 3.9.0 versions. | |||||
| CVE-2023-47669 | 1 Cozmoslabs | 1 Profile Builder | 2023-11-16 | N/A | 8.8 HIGH |
| Cross-Site Request Forgery (CSRF) vulnerability in Cozmoslabs User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor plugin <= 3.10.3 versions. | |||||
| CVE-2023-28930 | 1 Robinphillips | 1 Mobile Banner | 2023-11-16 | N/A | 8.8 HIGH |
| Cross-Site Request Forgery (CSRF) vulnerability in Robin Phillips Mobile Banner plugin <= 1.5 versions. | |||||
| CVE-2023-29425 | 1 Plainware | 1 Shiftcontroller | 2023-11-16 | N/A | 8.8 HIGH |
| Cross-Site Request Forgery (CSRF) vulnerability in plainware.Com ShiftController Employee Shift Scheduling plugin <= 4.9.23 versions. | |||||
| CVE-2023-29238 | 1 Whydonate | 1 Wp Whydonate | 2023-11-16 | N/A | 8.8 HIGH |
| Cross-Site Request Forgery (CSRF) vulnerability in Whydonate Whydonate – FREE Donate button – Crowdfunding – Fundraising plugin <= 3.12.15 versions. | |||||
| CVE-2023-28987 | 1 Wpmet | 1 Wp Ultimate Review | 2023-11-16 | N/A | 8.8 HIGH |
| Cross-Site Request Forgery (CSRF) vulnerability in Wpmet Wp Ultimate Review plugin <= 2.0.3 versions. | |||||
| CVE-2023-26221 | 1 Tibco | 3 Spotfire Analyst, Spotfire Analytics Platform, Spotfire Server | 2023-11-16 | N/A | 3.9 LOW |
| The Spotfire Connectors component of TIBCO Software Inc.'s Spotfire Analyst, Spotfire Server, and Spotfire for AWS Marketplace contains an easily exploitable vulnerability that allows a low privileged attacker with read/write access to craft malicious Analyst files. A successful attack using this vulnerability requires human interaction from a person other than the attacker. Affected releases are TIBCO Software Inc.'s Spotfire Analyst: versions 12.3.0, 12.4.0, and 12.5.0, Spotfire Server: versions 12.3.0, 12.4.0, and 12.5.0, and Spotfire for AWS Marketplace: version 12.5.0. | |||||
| CVE-2023-45076 | 1 Lenovo | 122 Ideacentre 3-07ada05, Ideacentre 3-07ada05 Firmware, Ideacentre 3-07imb05 and 119 more | 2023-11-16 | N/A | 6.7 MEDIUM |
| A memory leakage vulnerability was reported in the 534D0140 DXE driver that may allow a local attacker with elevated privileges to write to NVRAM variables. | |||||
| CVE-2023-47004 | 1 Redislabs | 1 Redisgraph | 2023-11-16 | N/A | 8.8 HIGH |
| Buffer Overflow vulnerability in Redis RedisGraph v.2.x through v.2.12.8 and fixed in v.2.12.9 allows an attacker to execute arbitrary code via the code logic after valid authentication. | |||||
| CVE-2023-47690 | 1 Antonbond | 1 Additional Order Filters For Woocommerce | 2023-11-16 | N/A | 6.1 MEDIUM |
| Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Anton Bond Additional Order Filters for WooCommerce plugin <= 1.10 versions. | |||||
| CVE-2023-48068 | 1 Dedecms | 1 Dedecms | 2023-11-16 | N/A | 5.4 MEDIUM |
| DedeCMS v6.2 was discovered to contain a Cross-site Scripting (XSS) vulnerability via spec_add.php. | |||||
| CVE-2023-48063 | 1 Dreamer Cms Project | 1 Dreamer Cms | 2023-11-16 | N/A | 4.3 MEDIUM |
| An issue was discovered in dreamer_cms 4.1.3. There is a CSRF vulnerability that can delete a theme project via /admin/category/delete. | |||||
| CVE-2023-48060 | 1 Dreamer Cms Project | 1 Dreamer Cms | 2023-11-16 | N/A | 8.8 HIGH |
| Dreamer CMS v4.1.3 was discovered to contain a Cross-Site Request Forgery (CSRF) via the component /admin/task/add | |||||
| CVE-2023-45875 | 1 Couchbase | 1 Couchbase Server | 2023-11-16 | N/A | 7.5 HIGH |
| An issue was discovered in Couchbase Server 7.2.0. There is a private key leak in debug.log while adding a pre-7.0 node to a 7.2 cluster. | |||||
| CVE-2023-45857 | 1 Axios | 1 Axios | 2023-11-16 | N/A | 6.5 MEDIUM |
| An issue discovered in Axios 1.5.1 inadvertently reveals the confidential XSRF-TOKEN stored in cookies by including it in the HTTP header X-XSRF-TOKEN for every request made to any host allowing attackers to view sensitive information. | |||||
| CVE-2023-29974 | 1 Pfsense | 1 Pfsense | 2023-11-16 | N/A | 9.8 CRITICAL |
| An issue discovered in Pfsense CE version 2.6.0 allows attackers to compromise user accounts via weak password requirements. | |||||
| CVE-2023-48058 | 1 Dreamer Cms Project | 1 Dreamer Cms | 2023-11-16 | N/A | 8.8 HIGH |
| Dreamer CMS v4.1.3 was discovered to contain a Cross-Site Request Forgery (CSRF) via the component /admin/task/run | |||||
| CVE-2023-47109 | 1 Prestashop | 1 Customer Reassurance Block | 2023-11-16 | N/A | 8.1 HIGH |
| PrestaShop blockreassurance adds an information block aimed at offering helpful information to reassure customers that the store is trustworthy. When adding a block in blockreassurance module, a BO user can modify the http request and give the path of any file in the project instead of an image. When deleting the block from the BO, the file will be deleted. It is possible to make the website completely unavailable by removing index.php for example. This issue has been patched in version 5.1.4. | |||||
| CVE-2023-4632 | 1 Lenovo | 1 System Update | 2023-11-16 | N/A | 7.8 HIGH |
| An uncontrolled search path vulnerability was reported in Lenovo System Update that could allow an attacker with local access to execute code with elevated privileges. | |||||
| CVE-2023-47114 | 1 Ethyca | 1 Fides | 2023-11-16 | N/A | 6.1 MEDIUM |
| Fides is an open-source privacy engineering platform for managing the fulfillment of data privacy requests in your runtime environment, and the enforcement of privacy regulations in your code. The Fides web application allows data subject users to request access to their personal data. If the request is approved by the data controller user operating the Fides web application, the data subject's personal data can then retrieved from connected systems and data stores before being bundled together as a data subject access request package for the data subject to download. Supported data formats for the package include json and csv, but the most commonly used format is a series of HTML files compressed in a ZIP file. Once downloaded and unzipped, the data subject user can browse the HTML files on their local machine. It was identified that there was no validation of input coming from e.g. the connected systems and data stores which is later reflected in the downloaded data. This can result in an HTML injection that can be abused e.g. for phishing attacks or malicious JavaScript code execution, but only in the context of the data subject's browser accessing a HTML page using the `file://` protocol. Exploitation is limited to rogue Admin UI users, malicious connected system / data store users, and the data subject user if tricked via social engineering into submitting malicious data themselves. This vulnerability has been patched in version 2.23.3. | |||||
| CVE-2023-47111 | 1 Zitadel | 1 Zitadel | 2023-11-16 | N/A | 3.7 LOW |
| ZITADEL provides identity infrastructure. ZITADEL provides administrators the possibility to define a `Lockout Policy` with a maximum amount of failed password check attempts. On every failed password check, the amount of failed checks is compared against the configured maximum. Exceeding the limit, will lock the user and prevent further authentication. In the affected implementation it was possible for an attacker to start multiple parallel password checks, giving him the possibility to try out more combinations than configured in the `Lockout Policy`. This vulnerability has been patched in versions 2.40.5 and 2.38.3. | |||||
| CVE-2023-46021 | 1 Code-projects | 1 Blood Bank | 2023-11-16 | N/A | 5.5 MEDIUM |
| SQL Injection vulnerability in cancel.php in Code-Projects Blood Bank 1.0 allows attackers to run arbitrary commands via the 'reqid' parameter. | |||||
| CVE-2023-46020 | 1 Code-projects | 1 Blood Bank | 2023-11-16 | N/A | 6.1 MEDIUM |
| Cross Site Scripting (XSS) in updateprofile.php in Code-Projects Blood Bank 1.0 allows attackers to run arbitrary code via the 'rename', 'remail', 'rphone' and 'rcity' parameters. | |||||
| CVE-2023-46019 | 1 Code-projects | 1 Blood Bank | 2023-11-16 | N/A | 6.1 MEDIUM |
| Cross Site Scripting (XSS) vulnerability in abs.php in Code-Projects Blood Bank 1.0 allows attackers to run arbitrary code via the 'error' parameter. | |||||