Search
Total
201818 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-31427 | 1 Broadcom | 1 Fabric Operating System | 2023-08-07 | N/A | 7.8 HIGH |
| Brocade Fabric OS versions before Brocade Fabric OS v9.1.1c, and v9.2.0 Could allow an authenticated, local user with knowledge of full path names inside Brocade Fabric OS to execute any command regardless of assigned privilege. Starting with Fabric OS v9.1.0, “root” account access is disabled. | |||||
| CVE-2023-38419 | 1 F5 | 20 Big-ip Access Policy Manager, Big-ip Advanced Firewall Manager, Big-ip Advanced Web Application Firewall and 17 more | 2023-08-07 | N/A | 4.3 MEDIUM |
| An authenticated attacker with guest privileges or higher can cause the iControl SOAP process to terminate by sending undisclosed requests. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. | |||||
| CVE-2023-36494 | 1 F5 | 1 F5os-a | 2023-08-07 | N/A | 4.4 MEDIUM |
| Audit logs on F5OS-A may contain undisclosed sensitive information. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. | |||||
| CVE-2023-3470 | 1 F5 | 41 Big-ip 10200v-f, Big-ip 10200v-f Firmware, Big-ip 10350v-f and 38 more | 2023-08-07 | N/A | 6.1 MEDIUM |
| Specific F5 BIG-IP platforms with Cavium Nitrox FIPS HSM cards generate a deterministic password for the Crypto User account. The predictable nature of the password allows an authenticated user with TMSH access to the BIG-IP system, or anyone with physical access to the FIPS HSM, the information required to generate the correct password. On vCMP systems, all Guests share the same deterministic password, allowing those with TMSH access on one Guest to access keys of a different Guest. The following BIG-IP hardware platforms are affected: 10350v-F, i5820-DF, i7820-DF, i15820-DF, 5250v-F, 7200v-F, 10200v-F, 6900-F, 8900-F, 11000-F, and 11050-F. The BIG-IP rSeries r5920-DF and r10920-DF are not affected, nor does the issue affect software FIPS implementations or network HSM configurations. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. | |||||
| CVE-2023-37679 | 1 Nextgen | 1 Mirth Connect | 2023-08-07 | N/A | 9.8 CRITICAL |
| A remote command execution (RCE) vulnerability in NextGen Mirth Connect v4.3.0 allows attackers to execute arbitrary commands on the hosting server. | |||||
| CVE-2022-43702 | 1 Arm | 6 Arm Compiler, Arm Compiler For Embedded Fusa, Arm Compiler For Functional Safety and 3 more | 2023-08-07 | N/A | 7.8 HIGH |
| When the directory containing the installer does not have sufficiently restrictive file permissions, an attacker can modify (or replace) the installer to execute malicious code. | |||||
| CVE-2022-43701 | 1 Arm | 11 Arm Compiler, Arm Compiler For Embedded Fusa, Arm Compiler For Functional Safety and 8 more | 2023-08-07 | N/A | 7.8 HIGH |
| When the installation directory does not have sufficiently restrictive file permissions, an attacker can modify files in the installation directory to cause execution of malicious code. | |||||
| CVE-2021-35391 | 1 Deskpro | 1 Deskpro | 2023-08-07 | N/A | 7.2 HIGH |
| Server Side Request Forgery vulnerability found in Deskpro Support Desk v2021.21.6 allows attackers to execute arbitrary code via a crafted URL. | |||||
| CVE-2023-25836 | 1 Esri | 1 Portal For Arcgis | 2023-08-07 | N/A | 5.4 MEDIUM |
| There is a Cross-site Scripting vulnerability in Esri Portal Sites in versions 10.8.1 – 10.9 that may allow a remote, authenticated attacker to create a crafted link which when clicked could potentially execute arbitrary JavaScript code in the victims browser. The privileges required to execute this attack are low. | |||||
| CVE-2023-32625 | 1 Sakura | 1 Ts Webfonts | 2023-08-07 | N/A | 4.3 MEDIUM |
| Cross-site request forgery (CSRF) vulnerability in TS Webfonts for SAKURA 3.1.2 and earlier allows a remote unauthenticated attacker to hijack the authentication of a user and to change settings by having a user view a malicious page. | |||||
| CVE-2023-32624 | 1 Sakura | 1 Ts Webfonts | 2023-08-07 | N/A | 6.1 MEDIUM |
| Cross-site scripting vulnerability in TS Webfonts for SAKURA 3.1.0 and earlier allows a remote unauthenticated attacker to inject an arbitrary script. | |||||
| CVE-2023-37550 | 1 Codesys | 16 Control For Beaglebone Sl, Control For Empc-a\/imx6 Sl, Control For Iot2000 Sl and 13 more | 2023-08-07 | N/A | 6.5 MEDIUM |
| In multiple Codesys products in multiple versions, after successful authentication as a user, specific crafted network communication requests with inconsistent content can cause the CmpApp component to read internally from an invalid address, potentially leading to a denial-of-service condition. This vulnerability is different to CVE-2023-37545, CVE-2023-37546, CVE-2023-37547, CVE-2023-37548 and CVE-2023-37549. | |||||
| CVE-2023-4111 | 1 Phpjabbers | 1 Bus Reservation System | 2023-08-07 | N/A | 6.1 MEDIUM |
| A vulnerability was found in PHP Jabbers Bus Reservation System 1.1 and classified as problematic. Affected by this issue is some unknown functionality of the file /index.php. The manipulation of the argument index/pickup_id leads to cross site scripting. The attack may be launched remotely. VDB-235958 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2023-37549 | 1 Codesys | 16 Control For Beaglebone Sl, Control For Empc-a\/imx6 Sl, Control For Iot2000 Sl and 13 more | 2023-08-07 | N/A | 6.5 MEDIUM |
| In multiple Codesys products in multiple versions, after successful authentication as a user, specific crafted network communication requests with inconsistent content can cause the CmpApp component to read internally from an invalid address, potentially leading to a denial-of-service condition. This vulnerability is different to CVE-2023-37545, CVE-2023-37546, CVE-2023-37547, CVE-2023-37548 and CVE-2023-37550 | |||||
| CVE-2023-37548 | 1 Codesys | 16 Control For Beaglebone Sl, Control For Empc-a\/imx6 Sl, Control For Iot2000 Sl and 13 more | 2023-08-07 | N/A | 6.5 MEDIUM |
| In multiple Codesys products in multiple versions, after successful authentication as a user, specific crafted network communication requests with inconsistent content can cause the CmpApp component to read internally from an invalid address, potentially leading to a denial-of-service condition. This vulnerability is different to CVE-2023-37545, CVE-2023-37546, CVE-2023-37547, CVE-2023-37549 and CVE-2023-37550 | |||||
| CVE-2023-37547 | 1 Codesys | 16 Control For Beaglebone Sl, Control For Empc-a\/imx6 Sl, Control For Iot2000 Sl and 13 more | 2023-08-07 | N/A | 6.5 MEDIUM |
| In multiple Codesys products in multiple versions, after successful authentication as a user, specific crafted network communication requests with inconsistent content can cause the CmpApp component to read internally from an invalid address, potentially leading to a denial-of-service condition. This vulnerability is different to CVE-2023-37545, CVE-2023-37546, CVE-2023-37548, CVE-2023-37549 and CVE-2023-37550 | |||||
| CVE-2023-37546 | 1 Codesys | 16 Control For Beaglebone Sl, Control For Empc-a\/imx6 Sl, Control For Iot2000 Sl and 13 more | 2023-08-07 | N/A | 6.5 MEDIUM |
| In multiple Codesys products in multiple versions, after successful authentication as a user, specific crafted network communication requests with inconsistent content can cause the CmpApp component to read internally from an invalid address, potentially leading to a denial-of-service condition. This vulnerability is different to CVE-2023-37545, CVE-2023-37547, CVE-2023-37548, CVE-2023-37549 and CVE-2023-37550 | |||||
| CVE-2023-37545 | 1 Codesys | 16 Control For Beaglebone Sl, Control For Empc-a\/imx6 Sl, Control For Iot2000 Sl and 13 more | 2023-08-07 | N/A | 6.5 MEDIUM |
| In multiple Codesys products in multiple versions, after successful authentication as a user, specific crafted network communication requests with inconsistent content can cause the CmpApp component to read internally from an invalid address, potentially leading to a denial-of-service condition. This vulnerability is different to CVE-2023-37546, CVE-2023-37547, CVE-2023-37548, CVE-2023-37549, CVE-2023-37550 | |||||
| CVE-2023-4008 | 1 Gitlab | 1 Gitlab | 2023-08-07 | N/A | 9.8 CRITICAL |
| An issue has been discovered in GitLab CE/EE affecting all versions starting from 15.9 before 16.0.8, all versions starting from 16.1 before 16.1.3, all versions starting from 16.2 before 16.2.2. It was possible to takeover GitLab Pages with unique domain URLs if the random string added was known. | |||||
| CVE-2023-21412 | 1 Axis | 1 License Plate Verifier | 2023-08-07 | N/A | 8.8 HIGH |
| User provided input is not sanitized on the AXIS License Plate Verifier specific “search.cgi” allowing for SQL injections. | |||||
| CVE-2023-21411 | 1 Axis | 1 License Plate Verifier | 2023-08-07 | N/A | 8.8 HIGH |
| User provided input is not sanitized in the “Settings > Access Control” configuration interface allowing for arbitrary code execution. | |||||
| CVE-2023-21410 | 1 Axis | 1 License Plate Verifier | 2023-08-07 | N/A | 8.8 HIGH |
| User provided input is not sanitized on the AXIS License Plate Verifier specific “api.cgi” allowing for arbitrary code execution. | |||||
| CVE-2023-21409 | 1 Axis | 1 License Plate Verifier | 2023-08-07 | N/A | 9.8 CRITICAL |
| Due to insufficient file permissions, unprivileged users could gain access to unencrypted administrator credentials allowing the configuration of the application. | |||||
| CVE-2023-21408 | 1 Axis | 1 License Plate Verifier | 2023-08-07 | N/A | 9.8 CRITICAL |
| Due to insufficient file permissions, unprivileged users could gain access to unencrypted user credentials that are used in the integration interface towards 3rd party systems. | |||||
| CVE-2023-4110 | 1 Phpjabbers | 1 Availability Booking Calendar | 2023-08-07 | N/A | 6.1 MEDIUM |
| A vulnerability has been found in PHP Jabbers Availability Booking Calendar 5.0 and classified as problematic. Affected by this vulnerability is an unknown functionality of the file /index.php. The manipulation of the argument session_id leads to cross site scripting. The attack can be launched remotely. The identifier VDB-235957 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2023-38556 | 1 Epson | 24 Ep-801a, Ep-801a Firmware, Ep-802a and 21 more | 2023-08-07 | N/A | 7.5 HIGH |
| Improper input validation vulnerability in SEIKO EPSON printer Web Config allows a remote attacker to turned off the printer. [Note] Web Config is the software that allows users to check the status and change the settings of SEIKO EPSON printers via a web browser. Web Config is pre-installed in some printers provided by SEIKO EPSON CORPORATION. For the details of the affected product names/model numbers, refer to the information provided by the vendor. | |||||
| CVE-2023-21407 | 1 Axis | 1 License Plate Verifier | 2023-08-07 | N/A | 8.8 HIGH |
| A broken access control was found allowing for privileged escalation of the operator account to gain administrator privileges. | |||||
| CVE-2023-34552 | 1 Ezviz | 18 Cs-c6n-a0-1c2wfr-mul, Cs-c6n-a0-1c2wfr-mul Firmware, Cs-c6n-b0-1g2wf and 15 more | 2023-08-07 | N/A | 8.8 HIGH |
| In certain EZVIZ products, two stack based buffer overflows in mulicast_parse_sadp_packet and mulicast_get_pack_type functions of the SADP multicast protocol can allow an unauthenticated attacker present on the same local network as the camera to achieve remote code execution. This affects CS-C6N-B0-1G2WF Firmware versions before V5.3.0 build 230215 and CS-C6N-R101-1G2WF Firmware versions before V5.3.0 build 230215 and CS-CV310-A0-1B2WFR Firmware versions before V5.3.0 build 230221 and CS-CV310-A0-1C2WFR-C Firmware versions before V5.3.2 build 230221 and CS-C6N-A0-1C2WFR-MUL Firmware versions before V5.3.2 build 230218 and CS-CV310-A0-3C2WFRL-1080p Firmware versions before V5.2.7 build 230302 and CS-CV310-A0-1C2WFR Wifi IP66 2.8mm 1080p Firmware versions before V5.3.2 build 230214 and CS-CV248-A0-32WMFR Firmware versions before V5.2.3 build 230217 and EZVIZ LC1C Firmware versions before V5.3.4 build 230214. | |||||
| CVE-2023-34551 | 1 Ezviz | 18 Cs-c6n-a0-1c2wfr-mul, Cs-c6n-a0-1c2wfr-mul Firmware, Cs-c6n-b0-1g2wf and 15 more | 2023-08-07 | N/A | 8.0 HIGH |
| In certain EZVIZ products, two stack buffer overflows in netClientSetWlanCfg function of the EZVIZ SDK command server can allow an authenticated attacker present on the same local network as the camera to achieve remote code execution. This affects CS-C6N-B0-1G2WF Firmware versions before V5.3.0 build 230215 and CS-C6N-R101-1G2WF Firmware versions before V5.3.0 build 230215 and CS-CV310-A0-1B2WFR Firmware versions before V5.3.0 build 230221 and CS-CV310-A0-1C2WFR-C Firmware versions before V5.3.2 build 230221 and CS-C6N-A0-1C2WFR-MUL Firmware versions before V5.3.2 build 230218 and CS-CV310-A0-3C2WFRL-1080p Firmware versions before V5.2.7 build 230302 and CS-CV310-A0-1C2WFR Wifi IP66 2.8mm 1080p Firmware versions before V5.3.2 build 230214 and CS-CV248-A0-32WMFR Firmware versions before V5.2.3 build 230217 and EZVIZ LC1C Firmware versions before V5.3.4 build 230214. The impact is: execute arbitrary code (remote). | |||||
| CVE-2023-35861 | 1 Supermicro | 330 H12dgo-6, H12dgo-6 Firmware, H12dgq-nt6 and 327 more | 2023-08-07 | N/A | 9.8 CRITICAL |
| A shell-injection vulnerability in email notifications on Supermicro motherboards (such as H12DST-B before 03.10.35) allows remote attackers to inject execute arbitrary commands as root on the BMC. | |||||
| CVE-2023-0958 | 7 Backupbliss, Copy-delete-posts, Inisev and 4 more | 11 Backup Migration, Clone, Duplicate Post and 8 more | 2023-08-07 | N/A | 6.5 MEDIUM |
| Several plugins for WordPress by Inisev are vulnerable to unauthorized installation of plugins due to a missing capability check on the handle_installation function that is called via the inisev_installation AJAX aciton in various versions. This makes it possible for authenticated attackers with minimal permissions, such as subscribers, to install select plugins from Inisev on vulnerable sites. CVE-2023-38514 appears to be a duplicate of this vulnerability. | |||||
| CVE-2023-38138 | 1 F5 | 19 Big-ip Access Policy Manager, Big-ip Advanced Firewall Manager, Big-ip Advanced Web Application Firewall and 16 more | 2023-08-07 | N/A | 6.1 MEDIUM |
| A reflected cross-site scripting (XSS) vulnerability exists in an undisclosed page of the BIG-IP Configuration utility which allows an attacker to run JavaScript in the context of the currently logged-in user. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. | |||||
| CVE-2022-2346 | 1 Octopus | 1 Octopus Server | 2023-08-07 | N/A | 4.3 MEDIUM |
| In affected versions of Octopus Deploy it is possible for a low privileged guest user to interact with extension endpoints. | |||||
| CVE-2023-37501 | 1 Hcltech | 1 Unica | 2023-08-07 | N/A | 6.1 MEDIUM |
| A Persistent XSS vulnerability can be carried out in a certain field of Unica Campaign. An attacker could hijack a user's session and perform other attacks. | |||||
| CVE-2023-37500 | 1 Hcltech | 1 Unica | 2023-08-07 | N/A | 6.1 MEDIUM |
| A Persistent Cross-site Scripting (XSS) vulnerability can be carried out on certain pages of Unica Platform. An attacker could hijack a user's session and perform other attacks. | |||||
| CVE-2023-37499 | 1 Hcltech | 1 Unica | 2023-08-07 | N/A | 6.1 MEDIUM |
| A Persistent Cross-site Scripting (XSS) vulnerability can be carried out in a certain field of the Unica Platform. An attacker could hijack a user's session and perform other attacks. | |||||
| CVE-2023-38423 | 1 F5 | 19 Big-ip Access Policy Manager, Big-ip Advanced Firewall Manager, Big-ip Advanced Web Application Firewall and 16 more | 2023-08-07 | N/A | 5.4 MEDIUM |
| A cross-site scripting (XSS) vulnerability exists in an undisclosed page of the BIG-IP Configuration utility that allows an attacker to run JavaScript in the context of the currently logged-in user. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. | |||||
| CVE-2023-29407 | 1 Golang | 1 Image | 2023-08-07 | N/A | 6.5 MEDIUM |
| A maliciously-crafted image can cause excessive CPU consumption in decoding. A tiled image with a height of 0 and a very large width can cause excessive CPU consumption, despite the image size (width * height) appearing to be zero. | |||||
| CVE-2023-3978 | 1 Golang | 1 Networking | 2023-08-07 | N/A | 6.1 MEDIUM |
| Text nodes not in the HTML namespace are incorrectly literally rendered, causing text which should be escaped to not be. This could lead to an XSS attack. | |||||
| CVE-2023-36081 | 1 Gatesair | 2 Flexiva Fax 150w, Flexiva Fax 150w Firmware | 2023-08-07 | N/A | 5.4 MEDIUM |
| Cross Site Scripting vulnerability in GatesAIr Flexiva FM Transmitter/Exciter v.FAX 150W allows a remote attacker to execute arbitrary code via a crafted script to the web application dashboard. | |||||
| CVE-2023-29408 | 1 Golang | 1 Image | 2023-08-07 | N/A | 6.5 MEDIUM |
| The TIFF decoder does not place a limit on the size of compressed tile data. A maliciously-crafted image can exploit this to cause a small image (both in terms of pixel width/height, and encoded size) to make the decoder decode large amounts of compressed data, consuming excessive memory and CPU. | |||||
| CVE-2022-41618 | 1 Davidlingren | 1 Media Library Assistant | 2023-08-07 | N/A | 5.3 MEDIUM |
| Unauthenticated Error Log Disclosure vulnerability in Media Library Assistant plugin <= 3.00 on WordPress. | |||||
| CVE-2020-11928 | 1 Davidlingren | 1 Media Library Assistant | 2023-08-07 | 7.5 HIGH | 9.8 CRITICAL |
| In the media-library-assistant plugin before 2.82 for WordPress, Remote Code Execution can occur via the tax_query, meta_query, or date_query parameter in mla_gallery via an admin. | |||||
| CVE-2020-11732 | 1 Davidlingren | 1 Media Library Assistant | 2023-08-07 | 5.0 MEDIUM | 7.5 HIGH |
| The Media Library Assistant plugin before 2.82 for Wordpress suffers from a Local File Inclusion vulnerability in mla_gallery link=download. | |||||
| CVE-2020-11731 | 1 Davidlingren | 1 Media Library Assistant | 2023-08-07 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Media Library Assistant plugin before 2.82 for Wordpress suffers from multiple XSS vulnerabilities in all Settings/Media Library Assistant tabs, which allow remote authenticated users to execute arbitrary JavaScript. | |||||
| CVE-2018-20982 | 1 Davidlingren | 1 Media Library Assistant | 2023-08-07 | 4.3 MEDIUM | 6.1 MEDIUM |
| The media-library-assistant plugin before 2.74 for WordPress has XSS via the Media/Assistant or Settings/Media Library assistant admin submenu screens. | |||||
| CVE-2023-26316 | 1 Mi | 1 Xiaomi Cloud | 2023-08-07 | N/A | 6.1 MEDIUM |
| A XSS vulnerability exists in the Xiaomi cloud service Application product. The vulnerability is caused by Webview's whitelist checking function allowing javascript protocol to be loaded and can be exploited by attackers to steal Xiaomi cloud service account's cookies. | |||||
| CVE-2022-46485 | 1 Ngsurvey | 1 Ngsurvey | 2023-08-07 | N/A | 7.5 HIGH |
| Data Illusion Survey Software Solutions ngSurvey version 2.4.28 and below is vulnerable to Denial of Service if a survey contains a "Text Field", "Comment Field" or "Contact Details". | |||||
| CVE-2023-3117 | 2023-08-07 | N/A | N/A | ||
| ** REJECT ** Duplicate of CVE-2023-3390. | |||||
| CVE-2023-2850 | 1 Nodebb | 1 Nodebb | 2023-08-07 | N/A | 4.7 MEDIUM |
| NodeBB is affected by a Cross-Site WebSocket Hijacking vulnerability due to missing validation of the request origin. Exploitation of this vulnerability allows certain user information to be extracted by attacker. | |||||