Search
Total
201818 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-5362 | 1 Spicethemes | 1 Carousel\, Recent Post Slider And Banner Slider | 2023-11-13 | N/A | 5.4 MEDIUM |
| The Carousel, Recent Post Slider and Banner Slider plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'spice_post_slider' shortcode in versions up to, and including, 2.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2023-38965 | 1 Oretnom23 | 1 Lost And Found Information System | 2023-11-13 | N/A | 9.8 CRITICAL |
| Lost and Found Information System 1.0 allows account takeover via username and password to a /classes/Users.php?f=save URI. | |||||
| CVE-2023-5199 | 1 Php To Page Project | 1 Php To Page | 2023-11-13 | N/A | 8.8 HIGH |
| The PHP to Page plugin for WordPress is vulnerable Local File Inclusion to Remote Code Execution in versions up to, and including, 0.3 via the 'php-to-page' shortcode. This allows authenticated attackers with subscriber-level permissions or above, to include local file and potentially execute code on the server. While subscribers may need to poison log files or otherwise get a file installed in order to achieve remote code execution, author and above users can upload files by default and achieve remote code execution easily. | |||||
| CVE-2020-10225 | 1 Phpgurukul | 1 Job Portal | 2023-11-13 | 7.5 HIGH | 9.8 CRITICAL |
| An unauthenticated file upload vulnerability has been identified in admin/gallery.php in PHPGurukul Job Portal 1.0. The vulnerability could be exploited by an unauthenticated remote attacker to upload content to the server, including PHP files, which could result in command execution. | |||||
| CVE-2023-5834 | 1 Hashicorp | 1 Vagrant | 2023-11-13 | N/A | 7.8 HIGH |
| HashiCorp Vagrant's Windows installer targeted a custom location with a non-protected path that could be junctioned, introducing potential for unauthorized file system writes. Fixed in Vagrant 2.4.0. | |||||
| CVE-2023-46490 | 1 Cacti | 1 Cacti | 2023-11-13 | N/A | 6.5 MEDIUM |
| SQL Injection vulnerability in Cacti v1.2.25 allows a remote attacker to obtain sensitive information via the form_actions() function in the managers.php function. | |||||
| CVE-2023-31016 | 2 Microsoft, Nvidia | 2 Windows, Virtual Gpu | 2023-11-13 | N/A | 7.8 HIGH |
| NVIDIA GPU Display Driver for Windows contains a vulnerability where an uncontrolled search path element may allow an attacker to execute arbitrary code, which may lead to code execution, denial of service, escalation of privileges, information disclosure, or data tampering. | |||||
| CVE-2023-5814 | 1 Oretnom23 | 1 Task Reminder System | 2023-11-13 | N/A | 8.8 HIGH |
| A vulnerability was found in SourceCodester Task Reminder System 1.0. It has been classified as critical. This affects an unknown part of the file /classes/Master.php?f=save_reminder. The manipulation of the argument id leads to sql injection. It is possible to initiate the attack remotely. The identifier VDB-243645 was assigned to this vulnerability. | |||||
| CVE-2023-5813 | 1 Oretnom23 | 1 Task Reminder System | 2023-11-13 | N/A | 8.8 HIGH |
| A vulnerability was found in SourceCodester Task Reminder System 1.0 and classified as critical. Affected by this issue is some unknown functionality of the file /classes/Master.php?f=delete_reminder. The manipulation of the argument id leads to sql injection. The attack may be launched remotely. The identifier of this vulnerability is VDB-243644. | |||||
| CVE-2023-5037 | 2023-11-13 | N/A | N/A | ||
| Rejected reason: CVE number will be reassigned. | |||||
| CVE-2023-36022 | 1 Microsoft | 1 Edge Chromium | 2023-11-13 | N/A | 6.6 MEDIUM |
| Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability | |||||
| CVE-2023-36029 | 1 Microsoft | 1 Edge | 2023-11-13 | N/A | 4.3 MEDIUM |
| Microsoft Edge (Chromium-based) Spoofing Vulnerability | |||||
| CVE-2023-36034 | 1 Microsoft | 1 Edge Chromium | 2023-11-13 | N/A | 7.3 HIGH |
| Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability | |||||
| CVE-2023-40611 | 1 Apache | 1 Airflow | 2023-11-12 | N/A | 4.3 MEDIUM |
| Apache Airflow, versions before 2.7.1, is affected by a vulnerability that allows authenticated and DAG-view authorized Users to modify some DAG run detail values when submitting notes. This could have them alter details such as configuration parameters, start date, etc. Users should upgrade to version 2.7.1 or later which has removed the vulnerability. | |||||
| CVE-2023-0745 | 1 Yugabyte | 1 Yugabytedb Managed | 2023-11-10 | N/A | 9.8 CRITICAL |
| The High Availability functionality of Yugabyte Anywhere can be abused to write arbitrary files through the backup upload endpoint by using path traversal characters. This vulnerability is associated with program files PlatformReplicationManager.Java. This issue affects YugabyteDB Anywhere: from 2.0.0.0 through 2.13.0.0 | |||||
| CVE-2023-0575 | 4 Apple, Linux, Microsoft and 1 more | 5 Iphone Os, Macos, Linux Kernel and 2 more | 2023-11-10 | N/A | 9.8 CRITICAL |
| External Control of Critical State Data, Improper Control of Generation of Code ('Code Injection') vulnerability in YugaByte, Inc. Yugabyte DB on Windows, Linux, MacOS, iOS (DevopsBase.Java:execCommand, TableManager.Java:runCommand modules) allows API Manipulation, Privilege Abuse. This vulnerability is associated with program files backup.Py. This issue affects Yugabyte DB: Lesser then 2.2.0.0 | |||||
| CVE-2023-0574 | 1 Yugabyte | 1 Yugabytedb Managed | 2023-11-10 | N/A | 9.8 CRITICAL |
| Server-Side Request Forgery (SSRF), Improperly Controlled Modification of Dynamically-Determined Object Attributes, Improper Restriction of Excessive Authentication Attempts vulnerability in YugaByte, Inc. Yugabyte Managed allows Accessing Functionality Not Properly Constrained by ACLs, Communication Channel Manipulation, Authentication Abuse.This issue affects Yugabyte Managed: from 2.0.0.0 through 2.13.0.0 | |||||
| CVE-2023-42445 | 1 Gradle | 1 Gradle | 2023-11-10 | N/A | 5.3 MEDIUM |
| Gradle is a build tool with a focus on build automation and support for multi-language development. In some cases, when Gradle parses XML files, resolving XML external entities is not disabled. Combined with an Out Of Band XXE attack (OOB-XXE), just parsing XML can lead to exfiltration of local text files to a remote server. Gradle parses XML files for several purposes. Most of the time, Gradle parses XML files it generated or were already present locally. Only Ivy XML descriptors and Maven POM files can be fetched from remote repositories and parsed by Gradle. In Gradle 7.6.3 and 8.4, resolving XML external entities has been disabled for all use cases to protect against this vulnerability. Gradle will now refuse to parse XML files that have XML external entities. | |||||
| CVE-2023-40745 | 3 Fedoraproject, Libtiff, Redhat | 3 Fedora, Libtiff, Enterprise Linux | 2023-11-10 | N/A | 6.5 MEDIUM |
| LibTIFF is vulnerable to an integer overflow. This flaw allows remote attackers to cause a denial of service (application crash) or possibly execute an arbitrary code via a crafted tiff image, which triggers a heap-based buffer overflow. | |||||
| CVE-2023-44387 | 1 Gradle | 1 Gradle | 2023-11-10 | N/A | 6.5 MEDIUM |
| Gradle is a build tool with a focus on build automation and support for multi-language development. When copying or archiving symlinked files, Gradle resolves them but applies the permissions of the symlink itself instead of the permissions of the linked file to the resulting file. This leads to files having too much permissions given that symlinks usually are world readable and writeable. While it is unlikely this results in a direct vulnerability for the impacted build, it may open up attack vectors depending on where build artifacts end up being copied to or un-archived. In versions 7.6.3, 8.4 and above, Gradle will now properly use the permissions of the file pointed at by the symlink to set permissions of the copied or archived file. | |||||
| CVE-2023-41900 | 2 Debian, Eclipse | 2 Debian Linux, Jetty | 2023-11-10 | N/A | 4.3 MEDIUM |
| Jetty is a Java based web server and servlet engine. Versions 9.4.21 through 9.4.51, 10.0.15, and 11.0.15 are vulnerable to weak authentication. If a Jetty `OpenIdAuthenticator` uses the optional nested `LoginService`, and that `LoginService` decides to revoke an already authenticated user, then the current request will still treat the user as authenticated. The authentication is then cleared from the session and subsequent requests will not be treated as authenticated. So a request on a previously authenticated session could be allowed to bypass authentication after it had been rejected by the `LoginService`. This impacts usages of the jetty-openid which have configured a nested `LoginService` and where that `LoginService` will is capable of rejecting previously authenticated users. Versions 9.4.52, 10.0.16, and 11.0.16 have a patch for this issue. | |||||
| CVE-2023-33924 | 1 Felixwelberg | 1 Sis Handball | 2023-11-10 | N/A | 9.8 CRITICAL |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Felix Welberg SIS Handball allows SQL Injection.This issue affects SIS Handball: from n/a through 1.0.45. | |||||
| CVE-2023-27605 | 1 Wp Reroute Email Project | 1 Wp Reroute Email | 2023-11-10 | N/A | 9.8 CRITICAL |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Sajjad Hossain WP Reroute Email allows SQL Injection.This issue affects WP Reroute Email: from n/a through 1.4.6. | |||||
| CVE-2023-40207 | 1 Rednao | 1 Donations Made Easy - Smart Donations | 2023-11-10 | N/A | 9.8 CRITICAL |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in RedNao Donations Made Easy – Smart Donations allows SQL Injection.This issue affects Donations Made Easy – Smart Donations: from n/a through 4.0.12. | |||||
| CVE-2023-38382 | 1 Subscribe To Category Project | 1 Subscribe To Category | 2023-11-10 | N/A | 9.8 CRITICAL |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Daniel Söderström / Sidney van de Stouwe Subscribe to Category allows SQL Injection.This issue affects Subscribe to Category: from n/a through 2.7.4. | |||||
| CVE-2023-35911 | 1 Creative-solutions | 1 Contact Form Generator | 2023-11-10 | N/A | 9.8 CRITICAL |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Creative Solutions Contact Form Generator : Creative form builder for WordPress allows SQL Injection.This issue affects Contact Form Generator : Creative form builder for WordPress: from n/a through 2.6.0. | |||||
| CVE-2023-28748 | 1 Appjetty | 1 Copy Or Move Comments | 2023-11-10 | N/A | 9.8 CRITICAL |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in biztechc Copy or Move Comments allows SQL Injection.This issue affects Copy or Move Comments: from n/a through 5.0.4. | |||||
| CVE-2023-45001 | 1 Castos | 1 Seriously Simple Stats | 2023-11-10 | N/A | 9.8 CRITICAL |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Castos Seriously Simple Stats allows SQL Injection.This issue affects Seriously Simple Stats: from n/a through 1.5.0. | |||||
| CVE-2023-41685 | 1 Ilghera | 1 Woocommerce Support System | 2023-11-10 | N/A | 9.8 CRITICAL |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in ilGhera Woocommerce Support System allows SQL Injection.This issue affects Woocommerce Support System: from n/a through 1.2.1. | |||||
| CVE-2023-40609 | 1 Rocklobster | 1 Contact Form 7 Custom Validation | 2023-11-10 | N/A | 9.8 CRITICAL |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Aiyaz, maheshpatel Contact form 7 Custom validation allows SQL Injection.This issue affects Contact form 7 Custom validation: from n/a through 1.1.3. | |||||
| CVE-2023-45074 | 1 Pagevisitcounter | 1 Advanced Page Visit Counter | 2023-11-10 | N/A | 9.8 CRITICAL |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Page Visit Counter Advanced Page Visit Counter – Most Wanted Analytics Plugin for WordPress allows SQL Injection.This issue affects Advanced Page Visit Counter – Most Wanted Analytics Plugin for WordPress: from n/a through 7.1.1. | |||||
| CVE-2023-45069 | 1 Total-soft | 1 Video Gallery | 2023-11-10 | N/A | 9.8 CRITICAL |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Video Gallery by Total-Soft Video Gallery – Best WordPress YouTube Gallery Plugin allows SQL Injection.This issue affects Video Gallery – Best WordPress YouTube Gallery Plugin: from n/a through 2.1.3. | |||||
| CVE-2023-45055 | 1 Inspireui | 1 Mstore Api | 2023-11-10 | N/A | 9.8 CRITICAL |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in InspireUI MStore API allows SQL Injection.This issue affects MStore API: from n/a through 4.0.6. | |||||
| CVE-2023-45046 | 1 Pressference | 1 Pressference Exporter | 2023-11-10 | N/A | 9.8 CRITICAL |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Pressference Pressference Exporter allows SQL Injection.This issue affects Pressference Exporter: from n/a through 1.0.3. | |||||
| CVE-2023-46352 | 1 Smartmodules | 1 Facebookconversiontrackingplus | 2023-11-10 | N/A | 7.5 HIGH |
| In the module "Pixel Plus: Events + CAPI + Pixel Catalog for Facebook Module" (facebookconversiontrackingplus) up to version 2.4.9 from Smart Modules for PrestaShop, a guest can download personal information without restriction. Due to a lack of permissions control, a guest can access exports from the module which can lead to a leak of personal information from ps_customer table such as name / surname / email. | |||||
| CVE-2023-43194 | 1 Rcos | 1 Submitty | 2023-11-10 | N/A | 5.3 MEDIUM |
| Submitty before v22.06.00 is vulnerable to Incorrect Access Control. An attacker can delete any post in the forum by modifying request parameter. | |||||
| CVE-2023-42299 | 1 Openimageio | 1 Openimageio | 2023-11-10 | N/A | 9.8 CRITICAL |
| Buffer Overflow vulnerability in OpenImageIO oiio v.2.4.12.0 allows a remote attacker to execute arbitrary code and cause a denial of service via the read_subimage_data function. | |||||
| CVE-2023-39283 | 1 Insyde | 1 Insydeh2o | 2023-11-10 | N/A | 7.8 HIGH |
| An SMM memory corruption vulnerability in the SMM driver (SMRAM write) in CsmInt10HookSmm in Insyde InsydeH2O with kernel 5.0 through 5.5 allows attackers to send arbitrary data to SMM which could lead to privilege escalation. | |||||
| CVE-2023-39057 | 1 Lycorp | 1 Line Mini App | 2023-11-10 | N/A | 7.5 HIGH |
| An information leak in hirochanKAKIwaiting v13.6.1 allows attackers to obtain the channel access token and send crafted messages. | |||||
| CVE-2023-39054 | 1 Lycorp | 1 Line Mini App | 2023-11-10 | N/A | 7.5 HIGH |
| An information leak in Tokudaya.ekimae_mc v13.6.1 allows attackers to obtain the channel access token and send crafted messages. | |||||
| CVE-2023-39053 | 1 Lycorp | 1 Line Mini App | 2023-11-10 | N/A | 7.5 HIGH |
| An information leak in Hattoriya v13.6.1 allows attackers to obtain the channel access token and send crafted messages. | |||||
| CVE-2023-39051 | 1 Lycorp | 1 Line Mini App | 2023-11-10 | N/A | 7.5 HIGH |
| An information leak in VISION MEAT WORKS Track Diner 10/10mbl v13.6.1 allows attackers to obtain the channel access token and send crafted messages. | |||||
| CVE-2023-39050 | 1 Lycorp | 1 Line Mini App | 2023-11-10 | N/A | 7.5 HIGH |
| An information leak in Daiky-value.Fukueten v13.6.1 allows attackers to obtain the channel access token and send crafted messages. | |||||
| CVE-2023-39048 | 1 Lycorp | 1 Line Mini App | 2023-11-10 | N/A | 7.5 HIGH |
| An information leak in Tokudaya.honten v13.6.1 allows attackers to obtain the channel access token and send crafted messages. | |||||
| CVE-2023-39047 | 1 Lycorp | 1 Line Mini App | 2023-11-10 | N/A | 7.5 HIGH |
| An information leak in shouzu sweets oz v13.6.1 allows attackers to obtain the channel access token and send crafted messages. | |||||
| CVE-2023-39042 | 1 Lycorp | 1 Line Mini App | 2023-11-10 | N/A | 7.5 HIGH |
| An information leak in Gyouza-newhushimi v13.6.1 allows attackers to obtain the channel access token and send crafted messages. | |||||
| CVE-2023-45360 | 1 Mediawiki | 1 Mediawiki | 2023-11-09 | N/A | 5.4 MEDIUM |
| An issue was discovered in MediaWiki before 1.35.12, 1.36.x through 1.39.x before 1.39.5, and 1.40.x before 1.40.1. There is XSS in youhavenewmessagesmanyusers and youhavenewmessages i18n messages. This is related to MediaWiki:Youhavenewmessagesfromusers. | |||||
| CVE-2023-41914 | 2 Fedoraproject, Schedmd | 2 Fedora, Slurm | 2023-11-09 | N/A | 7.0 HIGH |
| SchedMD Slurm 23.02.x before 23.02.6 and 22.05.x before 22.05.10 allows filesystem race conditions for gaining ownership of a file, overwriting a file, or deleting files. | |||||
| CVE-2023-43982 | 1 Bontheme | 1 Socialfeed - Photos \& Video Using Instagram Api | 2023-11-09 | N/A | 9.8 CRITICAL |
| Bon Presta boninstagramcarousel between v5.2.1 to v7.0.0 was discovered to contain a Server-Side Request Forgery (SSRF) via the url parameter at insta_parser.php. This vulnerability allows attackers to use the vulnerable website as proxy to attack other websites or exfiltrate data via a HTTP call. | |||||
| CVE-2023-41343 | 1 Ragic | 1 Enterprise Cloud Database | 2023-11-09 | N/A | 5.4 MEDIUM |
| Rogic No-Code Database Builder's file uploading function has insufficient filtering for special characters. A remote attacker with regular user privilege can inject JavaScript to perform XSS (Stored Cross-Site Scripting) attack. | |||||