Search
Total
201818 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-3508 | 1 Woocommerce | 1 Woocommerce Pre-orders | 2023-08-03 | N/A | 6.5 MEDIUM |
| The WooCommerce Pre-Orders WordPress plugin before 2.0.3 has a flawed CSRF check when processing its tab actions, which could allow attackers to make logged in admins email pre-orders customer, change the released date, mark all pre-orders of a specific product as complete or cancel via CSRF attacks | |||||
| CVE-2020-4868 | 1 Ibm | 1 Tririga Application Platform | 2023-08-03 | N/A | 5.3 MEDIUM |
| IBM TRIRIGA 3.0, 4.0, and 4.4 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This information could be used in further attacks against the system. IBM X-Force ID: 190744. | |||||
| CVE-2023-4007 | 1 Phpmyfaq | 1 Phpmyfaq | 2023-08-03 | N/A | 5.4 MEDIUM |
| Cross-site Scripting (XSS) - Stored in GitHub repository thorsten/phpmyfaq prior to 3.1.16. | |||||
| CVE-2023-37216 | 1 Anasystem | 2 Sensmini M4, Sensmini M4 Firmware | 2023-08-03 | N/A | 6.5 MEDIUM |
| AnaSystem SensMini M4 – Using the configuration tool, an authenticated user can cause Denial of Service for the device | |||||
| CVE-2023-36542 | 1 Apache | 1 Nifi | 2023-08-03 | N/A | 8.8 HIGH |
| Apache NiFi 0.0.2 through 1.22.0 include Processors and Controller Services that support HTTP URL references for retrieving drivers, which allows an authenticated and authorized user to configure a location that enables custom code execution. The resolution introduces a new Required Permission for referencing remote resources, restricting configuration of these components to privileged users. The permission prevents unprivileged users from configuring Processors and Controller Services annotated with the new Reference Remote Resources restriction. Upgrading to Apache NiFi 1.23.0 is the recommended mitigation. | |||||
| CVE-2023-38988 | 1 Jeesite | 1 Jeesite | 2023-08-03 | N/A | 4.3 MEDIUM |
| An issue in the delete function in the OaNotifyController class of jeesite v1.2.6 allows authenticated attackers to arbitrarily delete notifications created by Administrators. | |||||
| CVE-2023-3670 | 1 Codesys | 2 Development System, Scripting | 2023-08-03 | N/A | 7.3 HIGH |
| In CODESYS Development System 3.5.9.0 to 3.5.17.0 and CODESYS Scripting 4.0.0.0 to 4.1.0.0 unsafe directory permissions would allow an attacker with local access to the workstation to place potentially harmful and disguised scripts that could be executed by legitimate users. | |||||
| CVE-2023-37467 | 1 Discourse | 1 Discourse | 2023-08-03 | N/A | 5.4 MEDIUM |
| Discourse is an open source discussion platform. Prior to version 3.1.0.beta7 of the `beta` and `tests-passed` branches, a CSP (Content Security Policy) nonce reuse vulnerability was discovered could allow cross-site scripting (XSS) attacks to bypass CSP protection for anonymous (i.e. unauthenticated) users. There are no known XSS vectors at the moment, but should one be discovered, this vulnerability would allow the XSS attack to bypass CSP and execute successfully. This vulnerability isn't applicable to logged-in users. Version 3.1.0.beta7 contains a patch. The stable branch doesn't have this vulnerability. A workaround to prevent the vulnerability is to disable Google Tag Manager, i.e., unset the `gtm container id` setting. | |||||
| CVE-2022-42986 | 2023-08-03 | N/A | N/A | ||
| ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2023-39122. Reason: This candidate is a reservation duplicate of CVE-2023-39122. Notes: All CVE users should reference CVE-2023-39122 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. | |||||
| CVE-2023-37754 | 1 Powerjob | 1 Powerjob | 2023-08-03 | N/A | 9.8 CRITICAL |
| PowerJob v4.3.3 was discovered to contain a remote command execution (RCE) vulnerability via the instanceId parameter at /instance/detail. | |||||
| CVE-2023-39013 | 1 Larsga | 1 Duke | 2023-08-03 | N/A | 9.8 CRITICAL |
| Duke v1.2 and below was discovered to contain a code injection vulnerability via the component no.priv.garshol.duke.server.CommonJTimer.init. | |||||
| CVE-2023-39010 | 1 Lessthanoptimal | 1 Boofcv | 2023-08-03 | N/A | 9.8 CRITICAL |
| BoofCV 0.42 was discovered to contain a code injection vulnerability via the component boofcv.io.calibration.CalibrationIO.load. This vulnerability is exploited by loading a crafted camera calibration file. | |||||
| CVE-2023-38992 | 1 Jeecg | 1 Jeecg Boot | 2023-08-03 | N/A | 9.8 CRITICAL |
| jeecg-boot v3.5.1 was discovered to contain a SQL injection vulnerability via the title parameter at /sys/dict/loadTreeData. | |||||
| CVE-2023-39015 | 1 Code4craft | 1 Webmagic | 2023-08-03 | N/A | 9.8 CRITICAL |
| webmagic-extension v0.9.0 and below was discovered to contain a code injection vulnerability via the component us.codecraft.webmagic.downloader.PhantomJSDownloader. | |||||
| CVE-2023-39016 | 1 Bbossgroups | 1 Bboss-persistent | 2023-08-03 | N/A | 9.8 CRITICAL |
| bboss-persistent v6.0.9 and below was discovered to contain a code injection vulnerability in the component com.frameworkset.common.poolman.util.SQLManager.createPool. This vulnerability is exploited via passing an unchecked argument. | |||||
| CVE-2023-39017 | 1 Softwareag | 1 Quartz | 2023-08-03 | N/A | 9.8 CRITICAL |
| quartz-jobs 2.3.2 and below was discovered to contain a code injection vulnerability in the component org.quartz.jobs.ee.jms.SendQueueMessageJob.execute. This vulnerability is exploited via passing an unchecked argument. | |||||
| CVE-2023-39018 | 1 Ffmpeg | 1 Ffmpeg | 2023-08-03 | N/A | 9.8 CRITICAL |
| FFmpeg 0.7.0 and below was discovered to contain a code injection vulnerability in the component net.bramp.ffmpeg.FFmpeg.<constructor>. This vulnerability is exploited via passing an unchecked argument. | |||||
| CVE-2023-39020 | 1 Stanford | 1 Stanford Parser | 2023-08-03 | N/A | 9.8 CRITICAL |
| stanford-parser v3.9.2 and below was discovered to contain a code injection vulnerability in the component edu.stanford.nlp.io.getBZip2PipedInputStream. This vulnerability is exploited via passing an unchecked argument. | |||||
| CVE-2023-39021 | 1 Wix | 1 Wix Embedded Mysql | 2023-08-03 | N/A | 9.8 CRITICAL |
| wix-embedded-mysql v4.6.1 and below was discovered to contain a code injection vulnerability in the component com.wix.mysql.distribution.Setup.apply. This vulnerability is exploited via passing an unchecked argument. | |||||
| CVE-2023-39022 | 1 Oscore | 1 Oscore | 2023-08-03 | N/A | 9.8 CRITICAL |
| oscore v2.2.6 and below was discovered to contain a code injection vulnerability in the component com.opensymphony.util.EJBUtils.createStateless. This vulnerability is exploited via passing an unchecked argument. | |||||
| CVE-2023-39023 | 1 University Compass Project | 1 University Compass | 2023-08-03 | N/A | 9.8 CRITICAL |
| university compass v2.2.0 and below was discovered to contain a code injection vulnerability in the component org.compass.core.executor.DefaultExecutorManager.configure. This vulnerability is exploited via passing an unchecked argument. | |||||
| CVE-2023-37904 | 1 Discourse | 1 Discourse | 2023-08-03 | N/A | 3.1 LOW |
| Discourse is an open source discussion platform. Prior to version 3.0.6 of the `stable` branch and version 3.1.0.beta7 of the `beta` and `tests-passed` branches, more users than permitted could be created from invite links. The issue is patched in version 3.0.6 of the `stable` branch and version 3.1.0.beta7 of the `beta` and `tests-passed` branches. As a workaround, use restrict to email address invites. | |||||
| CVE-2023-37906 | 1 Discourse | 1 Discourse | 2023-08-03 | N/A | 4.3 MEDIUM |
| Discourse is an open source discussion platform. Prior to version 3.0.6 of the `stable` branch and version 3.1.0.beta7 of the `beta` and `tests-passed` branches, a malicious user can edit a post in a topic and cause a DoS with a carefully crafted edit reason. The issue is patched in version 3.0.6 of the `stable` branch and version 3.1.0.beta7 of the `beta` and `tests-passed` branches. There are no known workarounds for this vulnerability. | |||||
| CVE-2023-38498 | 1 Discourse | 1 Discourse | 2023-08-03 | N/A | 6.5 MEDIUM |
| Discourse is an open source discussion platform. Prior to version 3.0.6 of the `stable` branch and version 3.1.0.beta7 of the `beta` and `tests-passed` branches, a malicious user can prevent the defer queue from proceeding promptly on sites hosted in the same multisite installation. The issue is patched in version 3.0.6 of the `stable` branch and version 3.1.0.beta7 of the `beta` and `tests-passed` branches. There are no known workarounds for this vulnerability. Users of multisite configurations should upgrade. | |||||
| CVE-2023-38684 | 1 Discourse | 1 Discourse | 2023-08-03 | N/A | 7.5 HIGH |
| Discourse is an open source discussion platform. Prior to version 3.0.6 of the `stable` branch and version 3.1.0.beta7 of the `beta` and `tests-passed` branches, in multiple controller actions, Discourse accepts limit params but does not impose any upper bound on the values being accepted. Without an upper bound, the software may allow arbitrary users to generate DB queries which may end up exhausting the resources on the server. The issue is patched in version 3.0.6 of the `stable` branch and version 3.1.0.beta7 of the `beta` and `tests-passed` branches. There are no known workarounds for this vulnerability. | |||||
| CVE-2023-38685 | 1 Discourse | 1 Discourse | 2023-08-03 | N/A | 4.3 MEDIUM |
| Discourse is an open source discussion platform. Prior to version 3.0.6 of the `stable` branch and version 3.1.0.beta7 of the `beta` and `tests-passed` branches, information about restricted-visibility topic tags could be obtained by unauthorized users. The issue is patched in version 3.0.6 of the `stable` branch and version 3.1.0.beta7 of the `beta` and `tests-passed` branches. | |||||
| CVE-2023-3488 | 1 Silabs | 1 Gecko Software Development Kit | 2023-08-03 | N/A | 5.5 MEDIUM |
| Uninitialized buffer in GBL parser in Silicon Labs GSDK v4.3.0 and earlier allows attacker to leak data from Secure stack via malformed GBL file. | |||||
| CVE-2023-38812 | 2023-08-03 | N/A | N/A | ||
| ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none. | |||||
| CVE-2023-3987 | 1 Simple Online Mens Salon Management System Project | 1 Simple Online Mens Salon Management System | 2023-08-03 | N/A | N/A |
| A vulnerability was found in SourceCodester Simple Online Mens Salon Management System 1.0. It has been classified as critical. Affected is an unknown function of the file /admin/?page=user/manage_user&id=3. The manipulation of the argument id leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-235608. | |||||
| CVE-2023-3988 | 1 Cafe Billing System Project | 1 Cafe Billing System | 2023-08-03 | N/A | 9.8 CRITICAL |
| A vulnerability was found in Cafe Billing System 1.0. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file index.php of the component Order Handler. The manipulation of the argument id leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-235609 was assigned to this vulnerability. | |||||
| CVE-2023-3990 | 1 Mingsoft | 1 Mcms | 2023-08-03 | N/A | 6.1 MEDIUM |
| A vulnerability classified as problematic has been found in Mingsoft MCMS up to 5.3.1. This affects an unknown part of the file search.do of the component HTTP POST Request Handler. The manipulation of the argument style leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-235611. | |||||
| CVE-2023-3989 | 1 Jewelry Store System Project | 1 Jewelry Store System | 2023-08-03 | N/A | 6.1 MEDIUM |
| A vulnerability was found in SourceCodester Jewelry Store System 1.0. It has been rated as problematic. Affected by this issue is some unknown functionality of the file add_customer.php. The manipulation leads to cross site scripting. The attack may be launched remotely. VDB-235610 is the identifier assigned to this vulnerability. | |||||
| CVE-2023-38602 | 1 Apple | 1 Macos | 2023-08-03 | N/A | 5.5 MEDIUM |
| A permissions issue was addressed with additional restrictions. This issue is fixed in macOS Monterey 12.6.8, macOS Ventura 13.5, macOS Big Sur 11.7.9. An app may be able to modify protected parts of the file system. | |||||
| CVE-2012-4242 | 2 Mf Gig Calendar Project, Wordpress | 2 Mf Gig Calendar, Wordpress | 2023-08-03 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in the MF Gig Calendar plugin 0.9.2 for WordPress allows remote attackers to inject arbitrary web script or HTML via the query string to the calendar page. | |||||
| CVE-2023-38593 | 1 Apple | 5 Ipados, Iphone Os, Macos and 2 more | 2023-08-02 | N/A | 5.5 MEDIUM |
| A logic issue was addressed with improved checks. This issue is fixed in macOS Monterey 12.6.8, iOS 16.6 and iPadOS 16.6, macOS Big Sur 11.7.9, macOS Ventura 13.5, watchOS 9.6. An app may be able to cause a denial-of-service. | |||||
| CVE-2023-38603 | 1 Apple | 3 Ipados, Iphone Os, Macos | 2023-08-02 | N/A | 7.5 HIGH |
| The issue was addressed with improved checks. This issue is fixed in iOS 16.6 and iPadOS 16.6, macOS Ventura 13.5. A remote user may be able to cause a denial-of-service. | |||||
| CVE-2023-38608 | 1 Apple | 1 Macos | 2023-08-02 | N/A | 5.5 MEDIUM |
| The issue was addressed with additional permissions checks. This issue is fixed in macOS Ventura 13.5. An app may be able to access user-sensitive data. | |||||
| CVE-2023-32450 | 1 Dell | 1 Power Manager | 2023-08-02 | N/A | 7.8 HIGH |
| Dell Power Manager, Versions 3.3 to 3.14 contains an Improper Access Control vulnerability. A low-privileged malicious user may potentially exploit this vulnerability to perform arbitrary code execution with limited access. | |||||
| CVE-2023-3956 | 1 Instawp | 1 Instawp Connect | 2023-08-02 | N/A | 9.8 CRITICAL |
| The InstaWP Connect plugin for WordPress is vulnerable to unauthorized access of data, modification of data and loss of data due to a missing capability check on the 'events_receiver' function in versions up to, and including, 0.0.9.18. This makes it possible for unauthenticated attackers to add, modify or delete post and taxonomy, install, activate or deactivate plugin, change customizer settings, add or modify or delete user including administrator user. | |||||
| CVE-2023-3957 | 1 Navz | 1 Acf Photo Gallery Field | 2023-08-02 | N/A | 4.3 MEDIUM |
| The ACF Photo Gallery Field plugin for WordPress is vulnerable to unauthorized modification of data due to an insufficient restriction on the 'apg_profile_update' function in versions up to, and including, 1.9. This makes it possible for authenticated attackers, with subscriber-level permissions or above, to update the user metas arbitrarily. The meta value can only be a string. | |||||
| CVE-2023-37980 | 1 Custom Field For Wp Job Manager Project | 1 Custom Field For Wp Job Manager | 2023-08-02 | N/A | 4.8 MEDIUM |
| Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Gravity Master Custom Field For WP Job Manager plugin <= 1.1 versions. | |||||
| CVE-2023-3970 | 1 Gzscripts | 1 Availability Booking Calendar Php | 2023-08-02 | N/A | 5.4 MEDIUM |
| A vulnerability, which was classified as problematic, was found in GZ Scripts Availability Booking Calendar PHP 1.0. This affects an unknown part of the file /index.php?controller=GzUser&action=edit&id=1 of the component Image Handler. The manipulation of the argument img leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-235569 was assigned to this vulnerability. | |||||
| CVE-2023-3969 | 1 Gzscripts | 1 Availability Booking Calendar Php | 2023-08-02 | N/A | 5.4 MEDIUM |
| A vulnerability, which was classified as problematic, has been found in GZ Scripts Availability Booking Calendar PHP 1.0. Affected by this issue is some unknown functionality of the file index.php of the component HTTP POST Request Handler. The manipulation of the argument promo_code leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-235568. | |||||
| CVE-2023-37970 | 1 Mf Gig Calendar Project | 1 Mf Gig Calendar | 2023-08-02 | N/A | 5.4 MEDIUM |
| Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in Matthew Fries MF Gig Calendar plugin <= 1.2 versions. | |||||
| CVE-2023-37894 | 1 Radiustheme | 1 Variation Images Gallery For Woocommerce | 2023-08-02 | N/A | 6.1 MEDIUM |
| Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in RadiusTheme Variation Images Gallery for WooCommerce plugin <= 2.3.3 versions. | |||||
| CVE-2023-38512 | 1 Wpstream | 1 Wpstream | 2023-08-02 | N/A | 8.8 HIGH |
| Cross-Site Request Forgery (CSRF) vulnerability in Wpstream WpStream – Live Streaming, Video on Demand, Pay Per View plugin <= 4.5.4 versions. | |||||
| CVE-2023-37993 | 1 Maennchen1 | 1 Wpshopgermany It-recht Kanzlei | 2023-08-02 | N/A | 4.8 MEDIUM |
| Auth. Stored Cross-Site Scripting (XSS) vulnerability in maennchen1.De wpShopGermany IT-RECHT KANZLEI plugin <= 1.7 versions. | |||||
| CVE-2023-37981 | 1 Wpkube | 1 Authors List | 2023-08-02 | N/A | 6.1 MEDIUM |
| Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in WPKube Authors List plugin <= 2.0.2 versions. | |||||
| CVE-2023-37976 | 1 Radioforge | 1 Radio Forge Muses Player With Skins | 2023-08-02 | N/A | 6.1 MEDIUM |
| Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Radio Forge Muses Player with Skins plugin <= 2.5 versions. | |||||
| CVE-2023-37975 | 1 Variation Swatches For Woocommerce Project | 1 Variation Swatches For Woocommerce | 2023-08-02 | N/A | 6.1 MEDIUM |
| Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in RadiusTheme Variation Swatches for WooCommerce plugin <= 2.3.7 versions. | |||||