Search
Total
201818 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-39153 | 1 Jenkins | 1 Gitlab Authentication | 2023-07-31 | N/A | 5.4 MEDIUM |
| A cross-site request forgery (CSRF) vulnerability in Jenkins GitLab Authentication Plugin 1.17.1 and earlier allows attackers to trick users into logging in to the attacker's account. | |||||
| CVE-2023-39154 | 1 Jenkins | 1 Qualys Web App Scanning Connector | 2023-07-31 | N/A | 6.5 MEDIUM |
| Incorrect permission checks in Jenkins Qualys Web App Scanning Connector Plugin 2.0.10 and earlier allow attackers with global Item/Configure permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. | |||||
| CVE-2023-39152 | 1 Jenkins | 1 Gradle | 2023-07-31 | N/A | 6.5 MEDIUM |
| Always-incorrect control flow implementation in Jenkins Gradle Plugin 2.8 may result in credentials not being masked (i.e., replaced with asterisks) in the build log in some circumstances. | |||||
| CVE-2023-37049 | 1 Emlog | 1 Emlog | 2023-07-31 | N/A | 6.5 MEDIUM |
| emlog 2.1.9 is vulnerable to Arbitrary file deletion via admin\template.php. | |||||
| CVE-2023-38673 | 1 Paddlepaddle | 1 Paddlepaddle | 2023-07-31 | N/A | 9.8 CRITICAL |
| PaddlePaddle before 2.5.0 has a command injection in fs.py. This resulted in the ability to execute arbitrary commands on the operating system. | |||||
| CVE-2023-38672 | 1 Paddlepaddle | 1 Paddlepaddle | 2023-07-31 | N/A | 7.5 HIGH |
| FPE in paddle.trace in PaddlePaddle before 2.5.0. This flaw can cause a runtime crash and a denial of service. | |||||
| CVE-2023-38671 | 1 Paddlepaddle | 1 Paddlepaddle | 2023-07-31 | N/A | 9.8 CRITICAL |
| Heap buffer overflow in paddle.trace in PaddlePaddle before 2.5.0. This flaw can lead to a denial of service, information disclosure, or more damage is possible. | |||||
| CVE-2023-38670 | 1 Paddlepaddle | 1 Paddlepaddle | 2023-07-31 | N/A | 7.5 HIGH |
| Null pointer dereference in paddle.flip in PaddlePaddle before 2.5.0. This resulted in a runtime crash and denial of service. | |||||
| CVE-2023-38669 | 1 Paddlepaddle | 1 Paddlepaddle | 2023-07-31 | N/A | 9.8 CRITICAL |
| Use after free in paddle.diagonal in PaddlePaddle before 2.5.0. This resulted in a potentially exploitable condition. | |||||
| CVE-2023-3944 | 1 Phpscriptpoint | 1 Lawyer | 2023-07-31 | N/A | 6.1 MEDIUM |
| A vulnerability was found in phpscriptpoint Lawyer 1.6 and classified as problematic. Affected by this issue is some unknown functionality of the file page.php. The manipulation leads to cross site scripting. The attack may be launched remotely. The identifier of this vulnerability is VDB-235400. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2023-35066 | 1 Infodrom | 1 E-invoice Approval System | 2023-07-31 | N/A | 9.8 CRITICAL |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Infodrom Software E-Invoice Approval System allows SQL Injection.This issue affects E-Invoice Approval System: before v.20230701. | |||||
| CVE-2023-3046 | 1 Biltay | 1 Scienta | 2023-07-31 | N/A | 9.8 CRITICAL |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Biltay Technology Scienta allows SQL Injection.This issue affects Scienta: before 20230630.1953. | |||||
| CVE-2023-3855 | 1 Phpscriptpoint | 1 Jobseeker | 2023-07-31 | N/A | 6.1 MEDIUM |
| A vulnerability classified as problematic was found in phpscriptpoint JobSeeker 1.5. Affected by this vulnerability is an unknown functionality of the file /search-result.php. The manipulation of the argument kw/lc/ct/cp/p leads to cross site scripting. The attack can be launched remotely. The associated identifier of this vulnerability is VDB-235207. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2023-3856 | 1 Phpscriptpoint | 1 Ecommerce | 2023-07-31 | N/A | 6.1 MEDIUM |
| A vulnerability, which was classified as problematic, has been found in phpscriptpoint Ecommerce 1.15. Affected by this issue is some unknown functionality of the file /blog-single.php. The manipulation of the argument slug leads to cross site scripting. The attack may be launched remotely. The identifier of this vulnerability is VDB-235208. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2020-24275 | 1 Swoole | 1 Swoole | 2023-07-31 | N/A | 6.5 MEDIUM |
| A HTTP response header injection vulnerability in Swoole v4.5.2 allows attackers to execute arbitrary code via supplying a crafted URL. | |||||
| CVE-2023-3857 | 1 Phpscriptpoint | 1 Ecommerce | 2023-07-31 | N/A | 6.1 MEDIUM |
| A vulnerability, which was classified as problematic, was found in phpscriptpoint Ecommerce 1.15. This affects an unknown part of the file /product.php. The manipulation of the argument id leads to cross site scripting. It is possible to initiate the attack remotely. The identifier VDB-235209 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2023-3486 | 1 Papercut | 2 Papercut Mf, Papercut Ng | 2023-07-31 | N/A | 7.5 HIGH |
| An authentication bypass exists in PaperCut NG versions 22.0.12 and prior that could allow a remote, unauthenticated attacker to upload arbitrary files to the PaperCut NG host’s file storage. This could exhaust system resources and prevent the service from operating as expected. | |||||
| CVE-2023-35043 | 1 Recent Posts Slider Project | 1 Recent Posts Slider | 2023-07-31 | N/A | 6.1 MEDIUM |
| Unauth. Stored Cross-Site Scripting (XSS) vulnerability in Neha Goel Recent Posts Slider plugin <= 1.1 versions. | |||||
| CVE-2023-33925 | 1 Pluginforage | 1 Woocommerce Product Categories Selection Widget | 2023-07-31 | N/A | 6.1 MEDIUM |
| Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in PluginForage WooCommerce Product Categories Selection Widget plugin <= 2.0 versions. | |||||
| CVE-2023-23833 | 1 Drop Shadow Boxes Project | 1 Drop Shadow Boxes | 2023-07-31 | N/A | 5.4 MEDIUM |
| Auth. (contributor+) Cross-Site Scripting (XSS) vulnerability in Steven Henty Drop Shadow Boxes plugin <= 1.7.10 versions. | |||||
| CVE-2023-34017 | 1 Fivestarplugins | 1 Five Star Restaurant Menu | 2023-07-31 | N/A | 6.1 MEDIUM |
| Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in FiveStarPlugins Five Star Restaurant Reservations plugin <= 2.6.7 versions. | |||||
| CVE-2023-3637 | 1 Redhat | 1 Openstack Platform | 2023-07-31 | N/A | 6.5 MEDIUM |
| An uncontrolled resource consumption flaw was found in openstack-neutron. This flaw allows a remote authenticated user to query a list of security groups for an invalid project. This issue creates resources that are unconstrained by the user's quota. If a malicious user were to submit a significant number of requests, this could lead to a denial of service. | |||||
| CVE-2023-3858 | 1 Phpscriptpoint | 1 Car Listing | 2023-07-31 | N/A | 6.1 MEDIUM |
| A vulnerability has been found in phpscriptpoint Car Listing 1.6 and classified as problematic. This vulnerability affects unknown code of the file /search.php. The manipulation of the argument country/state/city leads to cross site scripting. The attack can be initiated remotely. VDB-235210 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2023-34369 | 1 Login Configurator Project | 1 Login Configurator | 2023-07-31 | N/A | 4.8 MEDIUM |
| Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in GrandSlambert Login Configurator plugin <= 2.1 versions. | |||||
| CVE-2023-38617 | 1 Mobisystems | 1 Office Suite | 2023-07-31 | N/A | 6.1 MEDIUM |
| Office Suite Premium Version v10.9.1.42602 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the filter parameter at /api?path=files. | |||||
| CVE-2023-3862 | 1 Travelable Trek Management Solution Project | 1 Travelable Trek Management Solution | 2023-07-31 | N/A | 4.7 MEDIUM |
| A vulnerability was found in Travelmate Travelable Trek Management Solution 1.0. It has been rated as problematic. Affected by this issue is some unknown functionality of the component Comment Box Handler. The manipulation of the argument comment leads to cross site scripting. The attack may be launched remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. VDB-235214 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2023-3859 | 1 Phpscriptpoint | 1 Car Listing | 2023-07-31 | N/A | 9.8 CRITICAL |
| A vulnerability was found in phpscriptpoint Car Listing 1.6 and classified as critical. This issue affects some unknown processing of the file /search.php of the component GET Parameter Handler. The manipulation of the argument brand_id/model_id/car_condition/car_category_id/body_type_id/fuel_type_id/transmission_type_id/year/mileage_start/mileage_end/country/state/city leads to sql injection. The attack may be initiated remotely. The associated identifier of this vulnerability is VDB-235211. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2023-32046 | 1 Microsoft | 12 Windows 10 1507, Windows 10 1607, Windows 10 1809 and 9 more | 2023-07-31 | N/A | 7.8 HIGH |
| Windows MSHTML Platform Elevation of Privilege Vulnerability | |||||
| CVE-2023-2029 | 1 Enzipe | 1 Prepost Seo | 2023-07-31 | N/A | 4.8 MEDIUM |
| The PrePost SEO WordPress plugin through 3.0 does not properly sanitize some of its settings, which could allow high-privilege users to perform Stored Cross-Site Scripting (XSS) attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) | |||||
| CVE-2023-3319 | 1 Idisplay | 1 Platplay Ds | 2023-07-31 | N/A | 5.4 MEDIUM |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in iDisplay PlatPlay DS allows Stored XSS.This issue affects PlatPlay DS: before 3.14. | |||||
| CVE-2023-35069 | 1 Biges | 1 Bullwark Momentum Series | 2023-07-31 | N/A | 7.5 HIGH |
| Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Bullwark allows Path Traversal.This issue affects Bullwark: before BLW-2016E-960H. | |||||
| CVE-2023-1547 | 1 Elra | 1 Parkmatik | 2023-07-31 | N/A | 9.8 CRITICAL |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Elra Parkmatik allows SQL Injection through SOAP Parameter Tampering, Command Line Execution through SQL Injection.This issue affects Parkmatik: before 02.01-a51. | |||||
| CVE-2023-37629 | 1 Simple Online Piggery Management System Project | 1 Simple Online Piggery Management System | 2023-07-31 | N/A | 9.8 CRITICAL |
| Online Piggery Management System 1.0 is vulnerable to File Upload. An unauthenticated user can upload a php file by sending a POST request to "add-pig.php." | |||||
| CVE-2023-3600 | 1 Mozilla | 3 Firefox, Firefox Esr, Thunderbird | 2023-07-31 | N/A | 8.8 HIGH |
| During the worker lifecycle, a use-after-free condition could have occured, which could have led to a potentially exploitable crash. This vulnerability affects Firefox < 115.0.2, Firefox ESR < 115.0.2, and Thunderbird < 115.0.1. | |||||
| CVE-2023-36543 | 1 Apache | 1 Airflow | 2023-07-31 | N/A | 6.5 MEDIUM |
| Apache Airflow, versions before 2.6.3, has a vulnerability where an authenticated user can use crafted input to make the current request hang. It is recommended to upgrade to a version that is not affected | |||||
| CVE-2023-2958 | 1 Orjinyazilim | 1 Ats Pro | 2023-07-31 | N/A | 9.8 CRITICAL |
| Authorization Bypass Through User-Controlled Key vulnerability in Origin Software ATS Pro allows Authentication Abuse, Authentication Bypass.This issue affects ATS Pro: before 20230714. | |||||
| CVE-2023-3860 | 1 Phpscriptpoint | 1 Insurance | 2023-07-31 | N/A | 6.1 MEDIUM |
| A vulnerability was found in phpscriptpoint Insurance 1.2. It has been classified as problematic. Affected is an unknown function of the file /page.php. The manipulation leads to cross site scripting. It is possible to launch the attack remotely. The identifier of this vulnerability is VDB-235212. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2023-37917 | 1 Fit2cloud | 1 Kubepi | 2023-07-31 | N/A | 8.8 HIGH |
| KubePi is an opensource kubernetes management panel. A normal user has permission to create/update users, they can become admin by editing the `isadmin` value in the request. As a result any user may take administrative control of KubePi. This issue has been addressed in version 1.6.5. Users are advised to upgrade. There are no known workarounds for this vulnerability. | |||||
| CVE-2023-37918 | 1 Linuxfoundation | 1 Dapr | 2023-07-31 | N/A | 7.5 HIGH |
| Dapr is a portable, event-driven, runtime for building distributed applications across cloud and edge. A vulnerability has been found in Dapr that allows bypassing API token authentication, which is used by the Dapr sidecar to authenticate calls coming from the application, with a well-crafted HTTP request. Users who leverage API token authentication are encouraged to upgrade Dapr to 1.10.9 or to 1.11.2. This vulnerability impacts Dapr users who have configured API token authentication. An attacker could craft a request that is always allowed by the Dapr sidecar over HTTP, even if the `dapr-api-token` in the request is invalid or missing. The issue has been fixed in Dapr 1.10.9 or to 1.11.2. There are no known workarounds for this vulnerability. | |||||
| CVE-2023-26301 | 1 Hp | 38 Color Laserjet Pro 4201-4203 4ra87f, Color Laserjet Pro 4201-4203 4ra87f Firmware, Color Laserjet Pro 4201-4203 4ra88f and 35 more | 2023-07-31 | N/A | 9.8 CRITICAL |
| Certain HP LaserJet Pro print products are potentially vulnerable to an Elevation of Privilege and/or Information Disclosure related to a lack of authentication with certain endpoints. | |||||
| CVE-2023-3861 | 1 Phpscriptpoint | 1 Insurance | 2023-07-31 | N/A | 6.1 MEDIUM |
| A vulnerability was found in phpscriptpoint Insurance 1.2. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file /search.php. The manipulation leads to cross site scripting. The attack can be launched remotely. The identifier VDB-235213 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2023-2309 | 1 Gvectors | 1 Wpforo Forum | 2023-07-31 | N/A | 6.1 MEDIUM |
| The wpForo Forum WordPress plugin before 2.1.9 does not escape some request parameters while in debug mode, leading to a Reflected Cross-Site Scripting vulnerability. | |||||
| CVE-2023-2761 | 1 Solwininfotech | 1 User Activity Log | 2023-07-31 | N/A | 7.2 HIGH |
| The User Activity Log WordPress plugin before 1.6.3 does not properly sanitise and escape the `txtsearch` parameter before using it in a SQL statement in some admin pages, leading to a SQL injection exploitable by high privilege users such as admin. | |||||
| CVE-2023-4026 | 2023-07-31 | N/A | N/A | ||
| ** REJECT ** DO NOT USE THIS CVE RECORD. ConsultIDs: CVE-2023-4024. Reason: This record is a duplicate of CVE-2023-4024. Notes: All CVE users should reference CVE-2023-4024 instead of this record. All references and descriptions in this record have been removed to prevent accidental usage. | |||||
| CVE-2023-22506 | 1 Atlassian | 2 Bamboo Data Center, Bamboo Server | 2023-07-31 | N/A | 8.8 HIGH |
| This High severity Injection and RCE (Remote Code Execution) vulnerability known as CVE-2023-22506 was introduced in version 8.0.0 of Bamboo Data Center. This Injection and RCE (Remote Code Execution) vulnerability, with a CVSS Score of 7.5, allows an authenticated attacker to modify the actions taken by a system call and execute arbitrary code which has high impact to confidentiality, high impact to integrity, high impact to availability, and no user interaction. Atlassian recommends that you upgrade your instance to latest version. If you're unable to upgrade to latest, upgrade to one of these fixed versions: 9.2.3 and 9.3.1. See the release notes ([https://confluence.atlassian.com/bambooreleases/bamboo-release-notes-1189793869.html|https://confluence.atlassian.com/bambooreleases/bamboo-release-notes-1189793869.html]). You can download the latest version of Bamboo Data Center and Bamboo Server from the download center ([https://www.atlassian.com/software/bamboo/download-archives|https://www.atlassian.com/software/bamboo/download-archives]). This vulnerability was reported via our Penetration Testing program. | |||||
| CVE-2023-32712 | 1 Splunk | 1 Splunk | 2023-07-31 | N/A | 3.1 LOW |
| In Splunk Enterprise versions below 9.1.0.2, 9.0.5.1, and 8.2.11.2, a malicious actor can inject American National Standards Institute (ANSI) escape codes into Splunk log files that, when a vulnerable terminal application reads them, can potentially result in possible code execution in the vulnerable application. This attack requires a user to use a terminal application that supports the translation of ANSI escape codes, to read the malicious log file locally in the vulnerable terminal, and to perform additional user interaction to exploit. The vulnerability does not affect Splunk Cloud Platform instances. The vulnerability does not directly affect Splunk Enterprise. The indirect impact on the Splunk Enterprise instance can vary significantly depending on the permissions in the vulnerable terminal application and where and how the user reads the malicious log file. For example, users can copy the malicious file from the Splunk Enterprise instance and read it on their local machine. | |||||
| CVE-2023-3344 | 1 Auto Location For Wp Job Manager Via Google Project | 1 Auto Location For Wp Job Manager Via Google | 2023-07-31 | N/A | 4.8 MEDIUM |
| The Auto Location for WP Job Manager via Google WordPress plugin before 1.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) | |||||
| CVE-2023-3248 | 1 Premio | 1 My Sticky Elements | 2023-07-31 | N/A | 4.8 MEDIUM |
| The All-in-one Floating Contact Form WordPress plugin before 2.1.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) | |||||
| CVE-2023-37473 | 1 Zenstruck | 1 Collection | 2023-07-31 | N/A | 8.8 HIGH |
| zenstruck/collections is a set of helpers for iterating/paginating/filtering collections. Passing _callable strings_ (ie `system`) caused the function to be executed. This would result in a limited subset of specific user input being executed as if it were code. This issue has been addressed in commit `f4b1c48820` and included in release version 0.2.1. Users are advised to upgrade. Users unable to upgrade should ensure that user input is not passed to either `EntityRepository::find()` or `query()`. | |||||
| CVE-2023-3853 | 1 Phpscriptpoint | 1 Bloodbank | 2023-07-31 | N/A | 6.1 MEDIUM |
| A vulnerability was found in phpscriptpoint BloodBank 1.1. It has been rated as problematic. This issue affects some unknown processing of the file page.php. The manipulation leads to cross site scripting. The attack may be initiated remotely. The identifier VDB-235205 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | |||||