Search
Total
201818 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-20013 | 1 Cisco | 1 Intersight Private Virtual Appliance | 2023-08-23 | N/A | 9.1 CRITICAL |
| Multiple vulnerabilities in Cisco Intersight Private Virtual Appliance could allow an authenticated, remote attacker to execute arbitrary commands using root-level privileges. The attacker would need to have Administrator privileges on the affected device to exploit these vulnerabilities. These vulnerabilities are due to insufficient input validation when extracting uploaded software packages. An attacker could exploit these vulnerabilities by authenticating to an affected device and uploading a crafted software package. A successful exploit could allow the attacker to execute commands on the underlying operating system with root-level privileges. | |||||
| CVE-2023-4394 | 1 Linux | 1 Linux Kernel | 2023-08-23 | N/A | 6.0 MEDIUM |
| A use-after-free flaw was found in btrfs_get_dev_args_from_path in fs/btrfs/volumes.c in btrfs file-system in the Linux Kernel. This flaw allows a local attacker with special privileges to cause a system crash or leak internal kernel information | |||||
| CVE-2023-40174 | 1 Fobybus | 1 Social-media-skeleton | 2023-08-23 | N/A | 9.8 CRITICAL |
| Social media skeleton is an uncompleted/framework social media project implemented using a php, css ,javascript and html. Insufficient session expiration is a web application security vulnerability that occurs when a web application does not properly manage the lifecycle of a user's session. Social media skeleton releases prior to 1.0.5 did not properly limit manage user session lifecycles. This issue has been addressed in version 1.0.5 and users are advised to upgrade. There are no known workarounds for this vulnerability. | |||||
| CVE-2023-40173 | 1 Fobybus | 1 Social-media-skeleton | 2023-08-23 | N/A | 7.5 HIGH |
| Social media skeleton is an uncompleted/framework social media project implemented using a php, css ,javascript and html. Prior to version 1.0.5 Social media skeleton did not properly salt passwords leaving user passwords susceptible to cracking should an attacker gain access to hashed passwords. This issue has been addressed in version 1.0.5 and users are advised to upgrade. There are no known workarounds for this issue. | |||||
| CVE-2023-40172 | 1 Fobybus | 1 Social-media-skeleton | 2023-08-23 | N/A | 8.8 HIGH |
| Social media skeleton is an uncompleted/framework social media project implemented using a php, css ,javascript and html. A Cross-site request forgery (CSRF) attack is a type of malicious attack whereby an attacker tricks a victim into performing an action on a website that they do not intend to do. This can be done by sending the victim a malicious link or by exploiting a vulnerability in the website. Prior to version 1.0.5 Social media skeleton did not properly restrict CSRF attacks. This has been addressed in version 1.0.5 and all users are advised to upgrade. There are no known workarounds for this vulnerability. | |||||
| CVE-2023-4407 | 1 Credit Lite Project | 1 Credit Lite | 2023-08-23 | N/A | 9.8 CRITICAL |
| A vulnerability classified as critical was found in Codecanyon Credit Lite 1.5.4. Affected by this vulnerability is an unknown functionality of the file /portal/reports/account_statement of the component POST Request Handler. The manipulation of the argument date1/date2 leads to sql injection. The attack can be launched remotely. The associated identifier of this vulnerability is VDB-237511. | |||||
| CVE-2023-4409 | 1 Happysoft | 1 Nbs\&happysoftwechat | 2023-08-23 | N/A | 8.8 HIGH |
| A vulnerability, which was classified as critical, has been found in NBS&HappySoftWeChat 1.1.6. Affected by this issue is some unknown functionality. The manipulation leads to unrestricted upload. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-237512. | |||||
| CVE-2023-4410 | 1 Totolink | 2 Ex1200l, Ex1200l Firmware | 2023-08-23 | N/A | 9.8 CRITICAL |
| A vulnerability, which was classified as critical, was found in TOTOLINK EX1200L EN_V9.3.5u.6146_B20201023. This affects the function setDiagnosisCfg. The manipulation leads to os command injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-237513 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2023-32106 | 1 Fahad Mahmood | 1 Wp Docs | 2023-08-23 | N/A | 6.1 MEDIUM |
| Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Fahad Mahmood WP Docs plugin <= 1.9.9 versions. | |||||
| CVE-2023-39673 | 1 Tenda | 2 Ac15, Ac15 Firmware | 2023-08-23 | N/A | 9.8 CRITICAL |
| Tenda AC15 V1.0BR_V15.03.05.18_multi_TD01 was discovered to contain a buffer overflow via the function FUN_00010e34(). | |||||
| CVE-2023-38741 | 4 Hp, Ibm, Linux and 1 more | 5 Hp-ux, Aix, Txseries For Multiplatform and 2 more | 2023-08-23 | N/A | 7.5 HIGH |
| IBM TXSeries for Multiplatforms 8.1, 8.2, and 9.1 is vulnerable to a denial of service, caused by improper enforcement of the timeout on individual read operations. By conducting a slowloris-type attacks, a remote attacker could exploit this vulnerability to cause a denial of service. IBM X-Force ID: 262905. | |||||
| CVE-2023-39670 | 1 Tenda | 2 Ac6, Ac6 Firmware | 2023-08-23 | N/A | 9.8 CRITICAL |
| Tenda AC6 _US_AC6V1.0BR_V15.03.05.16 was discovered to contain a buffer overflow via the function fgets. | |||||
| CVE-2023-39668 | 1 Dlink | 2 Dir-868l, Dir-868l Firmware | 2023-08-23 | N/A | 9.8 CRITICAL |
| ** UNSUPPORTED WHEN ASSIGNED ** D-Link DIR-868L fw_revA_1-12_eu_multi_20170316 was discovered to contain a buffer overflow via the param_2 parameter in the inet_ntoa() function. | |||||
| CVE-2023-39667 | 1 Dlink | 2 Dir-868l, Dir-868l Firmware | 2023-08-23 | N/A | 9.8 CRITICAL |
| ** UNSUPPORTED WHEN ASSIGNED ** D-Link DIR-868L fw_revA_1-12_eu_multi_20170316 was discovered to contain a buffer overflow via the param_2 parameter in the FUN_0000acb4 function. | |||||
| CVE-2023-31218 | 1 Pluginus | 1 Wolf - Wordpress Posts Bulk Editor And Products Manager Professional | 2023-08-23 | N/A | 6.1 MEDIUM |
| Cross-Site Request Forgery (CSRF) leading to Stored Cross-Site Scripting (XSS) vulnerability in realmag777 WOLF – WordPress Posts Bulk Editor and Manager Professional plugin <= 1.0.6 versions. | |||||
| CVE-2023-39665 | 1 Dlink | 2 Dir-868l, Dir-868l Firmware | 2023-08-23 | N/A | 9.8 CRITICAL |
| ** UNSUPPORTED WHEN ASSIGNED ** D-Link DIR-868L fw_revA_1-12_eu_multi_20170316 was discovered to contain a buffer overflow via the acStack_50 parameter. | |||||
| CVE-2023-31232 | 1 Artiss | 1 Plugins List | 2023-08-23 | N/A | 4.8 MEDIUM |
| Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in David Artiss Plugins List plugin <= 2.5 versions. | |||||
| CVE-2023-20862 | 2 Netapp, Vmware | 2 Active Iq Unified Manager, Spring Security | 2023-08-23 | N/A | 6.3 MEDIUM |
| In Spring Security, versions 5.7.x prior to 5.7.8, versions 5.8.x prior to 5.8.3, and versions 6.0.x prior to 6.0.3, the logout support does not properly clean the security context if using serialized versions. Additionally, it is not possible to explicitly save an empty security context to the HttpSessionSecurityContextRepository. This vulnerability can keep users authenticated even after they performed logout. Users of affected versions should apply the following mitigation. 5.7.x users should upgrade to 5.7.8. 5.8.x users should upgrade to 5.8.3. 6.0.x users should upgrade to 6.0.3. | |||||
| CVE-2023-32105 | 1 Wp-pizza | 1 Wppizza | 2023-08-23 | N/A | 6.1 MEDIUM |
| Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in ollybach WPPizza – A Restaurant Plugin plugin <= 3.17.1 versions. | |||||
| CVE-2023-40270 | 2023-08-23 | N/A | N/A | ||
| ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2023-38831. Reason: This candidate is a reservation duplicate of CVE-2023-38831. Notes: All CVE users should reference CVE-2023-38831 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. | |||||
| CVE-2020-20145 | 2023-08-23 | N/A | N/A | ||
| ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2019-14834. Reason: This candidate is a reservation duplicate of CVE-2019-14834. Notes: All CVE users should reference CVE-2019-14834 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. | |||||
| CVE-2023-32103 | 1 Themepalace | 1 Tp Education | 2023-08-23 | N/A | 5.4 MEDIUM |
| Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in Theme Palace TP Education plugin <= 4.4 versions. | |||||
| CVE-2023-31492 | 1 Zohocorp | 1 Manageengine Admanager Plus | 2023-08-23 | N/A | 6.5 MEDIUM |
| Zoho ManageEngine ADManager Plus version 7182 and prior disclosed the default passwords for the account restoration of unauthorized domains to the authenticated users. | |||||
| CVE-2023-39672 | 1 Tenda | 2 Wh450a, Wh450a Firmware | 2023-08-23 | N/A | 9.8 CRITICAL |
| Tenda WH450 v1.0.0.18 was discovered to contain a buffer overflow via the function fgets. | |||||
| CVE-2023-39970 | 1 Acyba | 1 Acymailing Starter | 2023-08-23 | N/A | 9.8 CRITICAL |
| Unrestricted Upload of File with Dangerous Type vulnerability in AcyMailing component for Joomla. It allows remote code execution. | |||||
| CVE-2023-40313 | 1 Opennms | 2 Horizon, Meridian | 2023-08-23 | N/A | 8.8 HIGH |
| A BeanShell interpreter in remote server mode runs in OpenMNS Horizon versions earlier than 32.0.2 and in related Meridian versions which could allow arbitrary remote Java code execution. The solution is to upgrade to Meridian 2023.1.6, 2022.1.19, 2021.1.30, 2020.1.38 or Horizon 32.0.2 or newer. Meridian and Horizon installation instructions state that they are intended for installation within an organization's private networks and should not be directly accessible from the Internet. | |||||
| CVE-2023-4439 | 1 Card Holder Management System Project | 1 Card Holder Management System | 2023-08-23 | N/A | 5.3 MEDIUM |
| A vulnerability was found in SourceCodester Card Holder Management System 1.0 and classified as problematic. Affected by this issue is some unknown functionality of the component Minus Value Handler. The manipulation leads to improper validation of specified quantity in input. The attack may be launched remotely. The identifier of this vulnerability is VDB-237560. | |||||
| CVE-2023-39743 | 1 Pete4abw | 1 Lzma Software Development Kit | 2023-08-23 | N/A | 5.3 MEDIUM |
| lrzip-next LZMA v23.01 was discovered to contain an access violation via the component /bz3_decode_block src/libbz3.c. | |||||
| CVE-2023-39583 | 2023-08-23 | N/A | N/A | ||
| ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2023-38831. Reason: This candidate is a reservation duplicate of CVE-2023-38831. Notes: All CVE users should reference CVE-2023-38831 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. | |||||
| CVE-2023-32107 | 1 Ays-pro | 1 Photo Gallery | 2023-08-23 | N/A | 6.1 MEDIUM |
| Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Photo Gallery Team Photo Gallery by Ays – Responsive Image Gallery plugin <= 5.1.3 versions. | |||||
| CVE-2023-39741 | 1 Long Range Zip Project | 1 Long Range Zip | 2023-08-23 | N/A | 5.5 MEDIUM |
| lrzip v0.651 was discovered to contain a heap overflow via the libzpaq::PostProcessor::write(int) function at /libzpaq/libzpaq.cpp. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted file. | |||||
| CVE-2023-4437 | 1 Inventory Management System Project | 1 Inventory Management System | 2023-08-23 | N/A | 9.8 CRITICAL |
| A vulnerability, which was classified as critical, was found in SourceCodester Inventory Management System 1.0. Affected is an unknown function of the file app/ajax/search_sell_paymen_report.php. The manipulation of the argument customer leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-237558 is the identifier assigned to this vulnerability. | |||||
| CVE-2023-4438 | 1 Inventory Management System Project | 1 Inventory Management System | 2023-08-23 | N/A | 9.8 CRITICAL |
| A vulnerability has been found in SourceCodester Inventory Management System 1.0 and classified as critical. Affected by this vulnerability is an unknown functionality of the file app/ajax/search_sales_report.php. The manipulation of the argument customer leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-237559. | |||||
| CVE-2023-4442 | 1 Free Hospital Management System For Small Practices Project | 1 Free Hospital Management System For Small Practices | 2023-08-23 | N/A | 9.8 CRITICAL |
| A vulnerability was found in SourceCodester Free Hospital Management System for Small Practices 1.0. It has been rated as critical. This issue affects some unknown processing of the file \vm\patient\booking-complete.php. The manipulation of the argument userid/apponum/scheduleid leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-237563. | |||||
| CVE-2023-4441 | 1 Free Hospital Management System For Small Practices Project | 1 Free Hospital Management System For Small Practices | 2023-08-23 | N/A | 9.8 CRITICAL |
| A vulnerability was found in SourceCodester Free Hospital Management System for Small Practices 1.0. It has been declared as critical. This vulnerability affects unknown code of the file /patient/appointment.php. The manipulation of the argument sheduledate leads to sql injection. The attack can be initiated remotely. VDB-237562 is the identifier assigned to this vulnerability. | |||||
| CVE-2023-4440 | 1 Free Hospital Management System For Small Practices Project | 1 Free Hospital Management System For Small Practices | 2023-08-23 | N/A | 9.8 CRITICAL |
| A vulnerability was found in SourceCodester Free Hospital Management System for Small Practices 1.0. It has been classified as critical. This affects an unknown part of the file appointment.php. The manipulation of the argument sheduledate leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-237561 was assigned to this vulnerability. | |||||
| CVE-2023-40311 | 1 Opennms | 2 Horizon, Meridian | 2023-08-23 | N/A | 4.8 MEDIUM |
| Multiple stored XSS were found on different JSP files with unsanitized parameters in OpenMNS Horizon 31.0.8 and versions earlier than 32.0.2 on multiple platforms that allow an attacker to store on database and then load on JSPs or Angular templates. The solution is to upgrade to Meridian 2023.1.6, 2022.1.19, 2021.1.30, 2020.1.38 or Horizon 32.0.2 or newer. Meridian and Horizon installation instructions state that they are intended for installation within an organization's private networks and should not be directly accessible from the Internet. OpenNMS thanks Jordi Miralles Comins for reporting this issue. | |||||
| CVE-2023-4443 | 1 Free Hospital Management System For Small Practices Project | 1 Free Hospital Management System For Small Practices | 2023-08-23 | N/A | 9.8 CRITICAL |
| A vulnerability classified as critical has been found in SourceCodester Free Hospital Management System for Small Practices 1.0/5.0.12. Affected is an unknown function of the file vm\doctor\edit-doc.php. The manipulation of the argument id00/nic/oldemail/email/spec/Tele leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-237564. | |||||
| CVE-2023-4449 | 1 Inventory Management System Project | 1 Inventory Management System | 2023-08-23 | N/A | 8.8 HIGH |
| A vulnerability was found in SourceCodester Free and Open Source Inventory Management System 1.0. It has been classified as critical. Affected is an unknown function of the file /index.php?page=member. The manipulation of the argument columns[0][data] leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-237570 is the identifier assigned to this vulnerability. | |||||
| CVE-2023-4444 | 1 Free Hospital Management System For Small Practices Project | 1 Free Hospital Management System For Small Practices | 2023-08-23 | N/A | 9.8 CRITICAL |
| A vulnerability classified as critical was found in SourceCodester Free Hospital Management System for Small Practices 1.0. Affected by this vulnerability is an unknown functionality of the file vm\patient\edit-user.php. The manipulation of the argument id00/nic/oldemail/email/spec/Tele leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-237565 was assigned to this vulnerability. | |||||
| CVE-2023-4412 | 1 Totolink | 2 Ex1200l, Ex1200l Firmware | 2023-08-23 | N/A | 9.8 CRITICAL |
| A vulnerability was found in TOTOLINK EX1200L EN_V9.3.5u.6146_B20201023 and classified as critical. This issue affects the function setWanCfg. The manipulation leads to os command injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-237515. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2023-27576 | 1 Phplist | 1 Phplist | 2023-08-23 | N/A | 6.7 MEDIUM |
| An issue was discovered in phpList 3.6.12. Due to an access error, it was possible to manipulate and edit data of the system's super admin, allowing one to perform an account takeover of the user with super-admin permission. | |||||
| CVE-2023-4411 | 1 Totolink | 2 Ex1200l, Ex1200l Firmware | 2023-08-23 | N/A | 9.8 CRITICAL |
| A vulnerability has been found in TOTOLINK EX1200L EN_V9.3.5u.6146_B20201023 and classified as critical. This vulnerability affects the function setTracerouteCfg. The manipulation leads to os command injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-237514 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2023-40037 | 1 Apache | 1 Nifi | 2023-08-23 | N/A | 6.5 MEDIUM |
| Apache NiFi 1.21.0 through 1.23.0 support JDBC and JNDI JMS access in several Processors and Controller Services with connection URL validation that does not provide sufficient protection against crafted inputs. An authenticated and authorized user can bypass connection URL validation using custom input formatting. The resolution enhances connection URL validation and introduces validation for additional related properties. Upgrading to Apache NiFi 1.23.1 is the recommended mitigation. | |||||
| CVE-2023-38839 | 1 Kidus | 1 Minimati | 2023-08-23 | N/A | 7.5 HIGH |
| SQL injection vulnerability in Kidus Minimati v.1.0.0 allows a remote attacker to obtain sensitive information via theID parameter in the fulldelete.php component. | |||||
| CVE-2023-32130 | 1 Danielpowney | 1 Multi Rating | 2023-08-23 | N/A | 4.8 MEDIUM |
| Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Daniel Powney Multi Rating plugin <= 5.0.6 versions. | |||||
| CVE-2023-4433 | 1 Agentejo | 1 Cockpit | 2023-08-23 | N/A | 5.4 MEDIUM |
| Cross-site Scripting (XSS) - Stored in GitHub repository cockpit-hq/cockpit prior to 2.6.4. | |||||
| CVE-2023-4432 | 1 Agentejo | 1 Cockpit | 2023-08-23 | N/A | 6.1 MEDIUM |
| Cross-site Scripting (XSS) - Reflected in GitHub repository cockpit-hq/cockpit prior to 2.6.4. | |||||
| CVE-2023-40312 | 1 Opennms | 2 Horizon, Meridian | 2023-08-23 | N/A | 5.2 MEDIUM |
| Multiple reflected XSS were found on different JSP files with unsanitized parameters in OpenMNS Horizon 31.0.8 and versions earlier than 32.0.2 on multiple platforms that an attacker can modify to craft a malicious XSS payload. The solution is to upgrade to Meridian 2023.1.6, 2022.1.19, 2021.1.30, 2020.1.38 or Horizon 32.0.2 or newer. Meridian and Horizon installation instructions state that they are intended for installation within an organization's private networks and should not be directly accessible from the Internet. OpenNMS thanks Jordi Miralles Comins for reporting this issue. | |||||
| CVE-2023-38905 | 1 Jeecg | 1 Jeecg Boot | 2023-08-23 | N/A | 5.5 MEDIUM |
| SQL injection vulnerability in Jeecg-boot v.3.5.0 and before allows a local attacker to cause a denial of service via the Benchmark, PG_Sleep, DBMS_Lock.Sleep, Waitfor, DECODE, and DBMS_PIPE.RECEIVE_MESSAGE functions. | |||||