Dernières vulnérabilités du 23-06-2023

Dernières vulnérabilités du 23-06-2023
{{titre}}

Dernière mise à jour efféctuée le 23/06/2023 à 20:00:06

Vulnérabilité(s) CRITICAL [9.0, 10.0]

Vulnérabilité ID : CVE-2023-2611

Première publication le : 2023-06-22T17:15:44.667

Dernière modification le : 2023-06-22T20:05:36.757

Description :
Advantech R-SeeNet versions 2.4.22 is installed with a hidden root-level user that is not available in the users list. This hidden user has a password that cannot be changed by users.

CVE ID : CVE-2023-2611

Source : ics-cert@hq.dhs.gov

Score CVSS : 9.8

Références :
https://www.cisa.gov/news-events/ics-advisories/icsa-23-173-02 | source : ics-cert@hq.dhs.gov


Vulnérabilité ID : CVE-2023-3128

Première publication le : 2023-06-22T21:15:09.573

Dernière modification le : 2023-06-23T13:03:39.067

Description :
Grafana is validating Azure AD accounts based on the email claim. On Azure AD, the profile email field is not unique and can be easily modified. This leads to account takeover and authentication bypass when Azure AD OAuth is configured with a multi-tenant app.

CVE ID : CVE-2023-3128

Source : security@grafana.com

Score CVSS : 9.4

Références :
https://grafana.com/security/security-advisories/cve-2023-3128/ | source : security@grafana.com


Vulnérabilité ID : CVE-2023-33299

Première publication le : 2023-06-23T08:15:09.483

Dernière modification le : 2023-06-23T13:03:31.027

Description :
A deserialization of untrusted data in Fortinet FortiNAC below 7.2.1, below 9.4.3, below 9.2.8 and all earlier versions of 8.x allows attacker to execute unauthorized code or commands via specifically crafted request on inter-server communication port. Note FortiNAC versions 8.x will not be fixed.

CVE ID : CVE-2023-33299

Source : psirt@fortinet.com

Score CVSS : 9.8

Références :
https://fortiguard.com/psirt/FG-IR-23-074 | source : psirt@fortinet.com


Vulnérabilité ID : CVE-2023-34464

Première publication le : 2023-06-23T15:15:09.200

Dernière modification le : 2023-06-23T15:49:09.940

Description :
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Starting in version 2.2.1 until versions 14.4.8, 14.10.5, and 15.1RC1 of org.xwiki.platform:xwiki-platform-web and any version prior to 14.4.8, 14.10.5, and 15.1.RC1 of org.xwiki.platform:xwiki-platform-web-templates, any user who can edit a document in a wiki like the user profile can create a stored cross-site scripting attack. The attack occurs by putting plain HTML code into that document and then tricking another user to visit that document with the `displaycontent` or `rendercontent` template and plain output syntax. If a user with programming rights is tricked into visiting such a URL, arbitrary actions be performed with this user's rights, impacting the confidentiality, integrity, and availability of the whole XWiki installation. This has been patched in XWiki 14.4.8, 14.10.5 and 15.1RC1 by setting the content type of the response to plain text when the output syntax is not an HTML syntax.

CVE ID : CVE-2023-34464

Source : security-advisories@github.com

Score CVSS : 9.0

Références :
https://github.com/xwiki/xwiki-platform/commit/53e8292a31ec70fba5e1d705a4ac443658b9e6df | source : security-advisories@github.com
https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-fp7h-f9f5-x4q7 | source : security-advisories@github.com
https://jira.xwiki.org/browse/XWIKI-20290 | source : security-advisories@github.com


Vulnérabilité ID : CVE-2023-34465

Première publication le : 2023-06-23T16:15:09.303

Dernière modification le : 2023-06-23T17:21:14.907

Description :
XWiki Platform is a generic wiki platform. Starting in version 11.8-rc-1 and prior to versions 14.4.8, 14.10.6, and 15.2, `Mail.MailConfig` can be edited by any logged-in user by default. Consequently, they can change the mail obfuscation configuration and view and edit the mail sending configuration, including the smtp domain name and credentials. The problem has been patched in XWiki 14.4.8, 14.10.6, and 15.1. As a workaround, the rights of the `Mail.MailConfig` page can be manually updated so that only a set of trusted users can view, edit and delete it (e.g., the `XWiki.XWikiAdminGroup` group).

CVE ID : CVE-2023-34465

Source : security-advisories@github.com

Score CVSS : 9.9

Références :
https://github.com/xwiki/xwiki-platform/commit/8910b8857d3442d2e8142f655fdc0512930354d1 | source : security-advisories@github.com
https://github.com/xwiki/xwiki-platform/commit/d28d7739089e1ae8961257d9da7135d1a01cb7d4 | source : security-advisories@github.com
https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-g75c-cjr6-39mc | source : security-advisories@github.com
https://jira.xwiki.org/browse/XWIKI-20519 | source : security-advisories@github.com
https://jira.xwiki.org/browse/XWIKI-20671 | source : security-advisories@github.com


Vulnérabilité ID : CVE-2023-35150

Première publication le : 2023-06-23T17:15:09.380

Dernière modification le : 2023-06-23T17:21:14.907

Description :
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Starting in version 2.40m-2 and prior to versions 14.4.8, 14.10.4, and 15.0, any user with view rights on any document can execute code with programming rights, leading to remote code execution by crafting an url with a dangerous payload. The problem has been patched in XWiki 15.0, 14.10.4 and 14.4.8.

CVE ID : CVE-2023-35150

Source : security-advisories@github.com

Score CVSS : 9.9

Références :
https://github.com/xwiki/xwiki-platform/commit/b65220a4d86b8888791c3b643074ebca5c089a3a | source : security-advisories@github.com
https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-6mf5-36v9-3h2w | source : security-advisories@github.com
https://jira.xwiki.org/browse/XWIKI-20285 | source : security-advisories@github.com


Vulnérabilité ID : CVE-2023-35152

Première publication le : 2023-06-23T17:15:09.533

Dernière modification le : 2023-06-23T17:21:14.907

Description :
XWiki Platform is a generic wiki platform. Starting in version 12.9-rc-1 and prior to versions 14.4.8, 14.10.6, and 15.1, any logged in user can add dangerous content in their first name field and see it executed with programming rights. Leading to rights escalation. The vulnerability has been fixed on XWiki 14.4.8, 14.10.6, and 15.1. As a workaround, one may apply the patch manually.

CVE ID : CVE-2023-35152

Source : security-advisories@github.com

Score CVSS : 9.9

Références :
https://github.com/xwiki/xwiki-platform/commit/0993a7ab3c102f9ac37ffe361a83a3dc302c0e45#diff-0b51114cb27f7a5c599cf40c59d658eae6ddc5c0836532c3b35e163f40a4854fR39 | source : security-advisories@github.com
https://github.com/xwiki/xwiki-platform/commit/6ce2d04a5779e07f6d3ed3f37d4761049b4fc3ac#diff-ef7f8b911bb8e584fda22aac5876a329add35ca0d1d32e0fdb62a439b78cfa49 | source : security-advisories@github.com
https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-rf8j-q39g-7xfm | source : security-advisories@github.com
https://jira.xwiki.org/browse/XWIKI-19900 | source : security-advisories@github.com
https://jira.xwiki.org/browse/XWIKI-20611 | source : security-advisories@github.com


Vulnérabilité(s) HIGH [7.0, 8.9]

Vulnérabilité ID : CVE-2019-25152

Première publication le : 2023-06-22T02:15:47.730

Dernière modification le : 2023-06-22T12:51:30.407

Description :
The Abandoned Cart Lite for WooCommerce and Abandoned Cart Pro for WooCommerce plugins for WordPress are vulnerable to Stored Cross-Site Scripting via multiple parameters in versions up to, and including, 5.1.3 and 7.12.0 respectively, due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in user input that will execute on the admin dashboard.

CVE ID : CVE-2019-25152

Source : security@wordfence.com

Score CVSS : 7.2

Références :
https://plugins.trac.wordpress.org/changeset/2033212 | source : security@wordfence.com
https://wpscan.com/vulnerability/9229 | source : security@wordfence.com
https://www.wordfence.com/blog/2019/03/xss-flaw-in-abandoned-cart-plugin-leads-to-wordpress-site-takeovers/ | source : security@wordfence.com
https://www.wordfence.com/threat-intel/vulnerabilities/id/a9cc5c6d-4396-4ebf-8788-f01dd9e9cfbc?source=cve | source : security@wordfence.com


Vulnérabilité ID : CVE-2023-28956

Première publication le : 2023-06-22T02:15:48.717

Dernière modification le : 2023-06-22T12:51:30.407

Description :
IBM Spectrum Protect Backup-Archive Client 8.1.0.0 through 8.1.17.2 may allow a local user to escalate their privileges due to improper access controls. IBM X-Force ID: 251767.

CVE ID : CVE-2023-28956

Source : psirt@us.ibm.com

Score CVSS : 8.4

Références :
https://exchange.xforce.ibmcloud.com/vulnerabilities/251767 | source : psirt@us.ibm.com
https://www.ibm.com/support/pages/node/7005519 | source : psirt@us.ibm.com


Vulnérabilité ID : CVE-2023-32449

Première publication le : 2023-06-22T07:15:08.867

Dernière modification le : 2023-06-22T12:51:30.407

Description :
Dell PowerStore versions prior to 3.5 contain an improper verification of cryptographic signature vulnerability. An attacker can trick a high privileged user to install a malicious binary by bypassing the existing cryptographic signature checks

CVE ID : CVE-2023-32449

Source : security_alert@emc.com

Score CVSS : 7.2

Références :
https://www.dell.com/support/kbdoc/en-us/000215171/dsa-2023-173-dell-powerstore-family-security-update-for-multiple-vulnerabilities | source : security_alert@emc.com


Vulnérabilité ID : CVE-2023-28166

Première publication le : 2023-06-22T09:15:10.993

Dernière modification le : 2023-06-22T12:51:23.447

Description :
Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Aakif Kadiwala Tags Cloud Manager plugin <= 1.0.0 versions.

CVE ID : CVE-2023-28166

Source : audit@patchstack.com

Score CVSS : 7.1

Références :
https://patchstack.com/database/vulnerability/tags-cloud-manager/wordpress-tags-cloud-manager-plugin-1-0-0-cross-site-scripting-xss-vulnerability?_s_id=cve | source : audit@patchstack.com


Vulnérabilité ID : CVE-2023-20892

Première publication le : 2023-06-22T12:15:09.870

Dernière modification le : 2023-06-22T12:51:23.447

Description :
The vCenter Server contains a heap overflow vulnerability due to the usage of uninitialized memory in the implementation of the DCERPC protocol. A malicious actor with network access to vCenter Server may exploit heap-overflow vulnerability to execute arbitrary code on the underlying operating system that hosts vCenter Server.

CVE ID : CVE-2023-20892

Source : security@vmware.com

Score CVSS : 8.1

Références :
https://www.vmware.com/security/advisories/VMSA-2023-0014.html | source : security@vmware.com


Vulnérabilité ID : CVE-2023-20893

Première publication le : 2023-06-22T12:15:10.490

Dernière modification le : 2023-06-22T12:51:23.447

Description :
The VMware vCenter Server contains a use-after-free vulnerability in the implementation of the DCERPC protocol. A malicious actor with network access to vCenter Server may exploit this issue to execute arbitrary code on the underlying operating system that hosts vCenter Server.

CVE ID : CVE-2023-20893

Source : security@vmware.com

Score CVSS : 8.1

Références :
https://www.vmware.com/security/advisories/VMSA-2023-0014.html | source : security@vmware.com


Vulnérabilité ID : CVE-2023-20894

Première publication le : 2023-06-22T12:15:10.740

Dernière modification le : 2023-06-22T12:51:23.447

Description :
The VMware vCenter Server contains an out-of-bounds write vulnerability in the implementation of the DCERPC protocol. A malicious actor with network access to vCenter Server may trigger an out-of-bound write by sending a specially crafted packet leading to memory corruption.

CVE ID : CVE-2023-20894

Source : security@vmware.com

Score CVSS : 8.1

Références :
https://www.vmware.com/security/advisories/VMSA-2023-0014.html | source : security@vmware.com


Vulnérabilité ID : CVE-2023-20895

Première publication le : 2023-06-22T12:15:10.893

Dernière modification le : 2023-06-22T12:51:15.117

Description :
The VMware vCenter Server contains a memory corruption vulnerability in the implementation of the DCERPC protocol. A malicious actor with network access to vCenter Server may trigger a memory corruption vulnerability which may bypass authentication.

CVE ID : CVE-2023-20895

Source : security@vmware.com

Score CVSS : 8.1

Références :
https://www.vmware.com/security/advisories/VMSA-2023-0014.html | source : security@vmware.com


Vulnérabilité ID : CVE-2023-23795

Première publication le : 2023-06-22T12:15:10.967

Dernière modification le : 2023-06-22T12:51:15.117

Description :
Cross-Site Request Forgery (CSRF) vulnerability in Muneeb Form Builder plugin <= 1.9.9.0 versions.

CVE ID : CVE-2023-23795

Source : audit@patchstack.com

Score CVSS : 7.1

Références :
https://patchstack.com/database/vulnerability/contact-form-add/wordpress-form-builder-create-responsive-contact-forms-plugin-1-9-9-0-cross-site-request-forgery-csrf-leading-to-post-page-deletion-vulnerability?_s_id=cve | source : audit@patchstack.com


Vulnérabilité ID : CVE-2023-28750

Première publication le : 2023-06-22T12:15:11.500

Dernière modification le : 2023-06-22T12:51:15.117

Description :
Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Ignazio Scimone Albo Pretorio On line plugin <= 4.6 versions.

CVE ID : CVE-2023-28750

Source : audit@patchstack.com

Score CVSS : 7.1

Références :
https://patchstack.com/database/vulnerability/albo-pretorio-on-line/wordpress-albo-pretorio-on-line-plugin-4-6-cross-site-scripting-xss-vulnerability?_s_id=cve | source : audit@patchstack.com


Vulnérabilité ID : CVE-2023-28776

Première publication le : 2023-06-22T12:15:11.577

Dernière modification le : 2023-06-22T12:51:15.117

Description :
Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in I Thirteen Web Solution Continuous Image Carousel With Lightbox plugin <= 1.0.15 versions.

CVE ID : CVE-2023-28776

Source : audit@patchstack.com

Score CVSS : 7.1

Références :
https://patchstack.com/database/vulnerability/continuous-image-carousel-with-lightbox/wordpress-continuous-image-carousel-with-lightbox-plugin-1-0-15-reflected-cross-site-scripting-xss-vulnerability-2?_s_id=cve | source : audit@patchstack.com


Vulnérabilité ID : CVE-2023-28784

Première publication le : 2023-06-22T12:15:11.723

Dernière modification le : 2023-06-22T12:51:15.117

Description :
Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Contest Gallery plugin <= 21.1.2 versions.

CVE ID : CVE-2023-28784

Source : audit@patchstack.com

Score CVSS : 7.1

Références :
https://patchstack.com/database/vulnerability/contest-gallery/wordpress-contest-gallery-plugin-21-1-2-cross-site-scripting-xss-vulnerability?_s_id=cve | source : audit@patchstack.com


Vulnérabilité ID : CVE-2023-35918

Première publication le : 2023-06-22T12:15:12.213

Dernière modification le : 2023-06-22T12:51:15.117

Description :
Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in WooCommerce Bulk Stock Management plugin <= 2.2.33 versions.

CVE ID : CVE-2023-35918

Source : audit@patchstack.com

Score CVSS : 7.1

Références :
https://patchstack.com/database/vulnerability/woocommerce-bulk-stock-management/wordpress-woocommerce-bulk-stock-management-plugin-2-2-33-cross-site-scripting-xss-vulnerability?_s_id=cve | source : audit@patchstack.com


Vulnérabilité ID : CVE-2022-47593

Première publication le : 2023-06-22T13:15:09.490

Dernière modification le : 2023-06-22T14:49:18.643

Description :
Auth. (subscriber+) SQL Injection (SQLi) vulnerability in RapidLoad RapidLoad Power-Up for Autoptimize plugin <= 1.6.35 versions.

CVE ID : CVE-2022-47593

Source : audit@patchstack.com

Score CVSS : 8.5

Références :
https://patchstack.com/database/vulnerability/unusedcss/wordpress-rapidload-power-up-for-autoptimize-plugin-1-6-35-sql-injection?_s_id=cve | source : audit@patchstack.com


Vulnérabilité ID : CVE-2023-32960

Première publication le : 2023-06-22T13:15:10.020

Dernière modification le : 2023-06-22T14:49:18.643

Description :
Cross-Site Request Forgery (CSRF) vulnerability in UpdraftPlus.Com, DavidAnderson UpdraftPlus WordPress Backup Plugin <= 1.23.3 versions leads to sitewide Cross-Site Scripting (XSS).

CVE ID : CVE-2023-32960

Source : audit@patchstack.com

Score CVSS : 7.1

Références :
https://patchstack.com/database/vulnerability/updraftplus/wordpress-updraftplus-plugin-1-23-3-csrf-lead-to-wp-admin-site-wide-xss-vulnerability?_s_id=cve | source : audit@patchstack.com


Vulnérabilité ID : CVE-2023-33997

Première publication le : 2023-06-22T13:15:10.170

Dernière modification le : 2023-06-22T14:49:18.643

Description :
Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Robin Wilson bbp style pack plugin <= 5.5.5 versions.

CVE ID : CVE-2023-33997

Source : audit@patchstack.com

Score CVSS : 7.1

Références :
https://patchstack.com/database/vulnerability/bbp-style-pack/wordpress-bbp-style-pack-plugin-5-5-5-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve | source : audit@patchstack.com


Vulnérabilité ID : CVE-2023-35174

Première publication le : 2023-06-22T14:15:09.517

Dernière modification le : 2023-06-22T14:49:18.643

Description :
Livebook is a web application for writing interactive and collaborative code notebooks. On Windows, it is possible to open a `livebook://` link from a browser which opens Livebook Desktop and triggers arbitrary code execution on victim's machine. Any user using Livebook Desktop on Windows is potentially vulnerable to arbitrary code execution when they expect Livebook to be opened from browser. This vulnerability has been fixed in version 0.8.2 and 0.9.3.

CVE ID : CVE-2023-35174

Source : security-advisories@github.com

Score CVSS : 8.6

Références :
https://github.com/livebook-dev/livebook/commit/2e11b59f677c6ed3b6aa82dad412a8b3406ffdf1 | source : security-advisories@github.com
https://github.com/livebook-dev/livebook/commit/beb10daaadcc765f0380e436bd7cd5f74cf086c8 | source : security-advisories@github.com
https://github.com/livebook-dev/livebook/releases/tag/v0.8.2 | source : security-advisories@github.com
https://github.com/livebook-dev/livebook/releases/tag/v0.9.3 | source : security-advisories@github.com
https://github.com/livebook-dev/livebook/security/advisories/GHSA-564w-97r7-c6p9 | source : security-advisories@github.com


Vulnérabilité ID : CVE-2023-35926

Première publication le : 2023-06-22T14:15:09.607

Dernière modification le : 2023-06-22T14:49:18.643

Description :
Backstage is an open platform for building developer portals. The Backstage scaffolder-backend plugin uses a templating library that requires sandbox, as it by design allows for code injection. The library used for this sandbox so far has been `vm2`, but in light of several past vulnerabilities and existing vulnerabilities that may not have a fix, the plugin has switched to using a different sandbox library. A malicious actor with write access to a registered scaffolder template could manipulate the template in a way that allows for remote code execution on the scaffolder-backend instance. This was only exploitable in the template YAML definition itself and not by user input data. This is vulnerability is fixed in version 1.15.0 of `@backstage/plugin-scaffolder-backend`.

CVE ID : CVE-2023-35926

Source : security-advisories@github.com

Score CVSS : 8.0

Références :
https://github.com/backstage/backstage/commit/fb7375507d56faedcb7bb3665480070593c8949a | source : security-advisories@github.com
https://github.com/backstage/backstage/releases/tag/v1.15.0 | source : security-advisories@github.com
https://github.com/backstage/backstage/security/advisories/GHSA-wg6p-jmpc-xjmr | source : security-advisories@github.com


Vulnérabilité ID : CVE-2023-3256

Première publication le : 2023-06-22T17:15:44.757

Dernière modification le : 2023-06-22T20:05:36.757

Description :
Advantech R-SeeNet versions 2.4.22 allows low-level users to access and load the content of local files.

CVE ID : CVE-2023-3256

Source : ics-cert@hq.dhs.gov

Score CVSS : 8.8

Références :
https://www.cisa.gov/news-events/ics-advisories/icsa-23-173-02 | source : ics-cert@hq.dhs.gov


Vulnérabilité ID : CVE-2023-28799

Première publication le : 2023-06-22T20:15:09.283

Dernière modification le : 2023-06-23T13:03:39.067

Description :
A URL parameter during login flow was vulnerable to injection. An attacker could insert a malicious domain in this parameter, which would redirect the user after auth and send the authorization token to the redirected domain.

CVE ID : CVE-2023-28799

Source : cve@zscaler.com

Score CVSS : 8.2

Références :
https://help.zscaler.com/client-connector/client-connector-app-release-summary-2022?applicable_category=Linux&applicable_version=1.4&deployment_date=2022-10-31&id=1420246 | source : cve@zscaler.com
https://help.zscaler.com/client-connector/client-connector-app-release-summary-2023?applicable_category=Android&applicable_version=1.10.2&deployment_date=2023-03-09&id=1447706 | source : cve@zscaler.com
https://help.zscaler.com/client-connector/client-connector-app-release-summary-2023?applicable_category=Chrome%20OS&applicable_version=1.10.1&deployment_date=2023-03-10&id=1447771 | source : cve@zscaler.com
https://help.zscaler.com/client-connector/client-connector-app-release-summary-2023?applicable_category=iOS&applicable_version=1.9.3&deployment_date=2023-03-03&id=1447071 | source : cve@zscaler.com
https://help.zscaler.com/client-connector/client-connector-app-release-summary-2023?applicable_category=macOS&applicable_version=3.9&deployment_date=2023-01-25&id=1443546 | source : cve@zscaler.com
https://help.zscaler.com/zscaler-client-connector/client-connector-app-release-summary-2021?applicable_category=Windows&applicable_version=3.7&deployment_date=2021-11-26&id=1386541 | source : cve@zscaler.com


Vulnérabilité ID : CVE-2023-28800

Première publication le : 2023-06-22T20:15:09.373

Dernière modification le : 2023-06-23T13:03:39.067

Description :
When using local accounts for administration, the redirect url parameter was not encoded correctly, allowing for an XSS attack providing admin login.

CVE ID : CVE-2023-28800

Source : cve@zscaler.com

Score CVSS : 8.1

Références :
https://help.zscaler.com/client-connector/client-connector-app-release-summary-2022?applicable_category=Linux&applicable_version=1.4&deployment_date=2022-10-31&id=1420246 | source : cve@zscaler.com
https://help.zscaler.com/client-connector/client-connector-app-release-summary-2023?applicable_category=Android&applicable_version=1.10.2&deployment_date=2023-03-09&id=1447706 | source : cve@zscaler.com
https://help.zscaler.com/client-connector/client-connector-app-release-summary-2023?applicable_category=Chrome%20OS&applicable_version=1.10.1&deployment_date=2023-03-10&id=1447771 | source : cve@zscaler.com
https://help.zscaler.com/client-connector/client-connector-app-release-summary-2023?applicable_category=iOS&applicable_version=1.9.3&deployment_date=2023-03-03&id=1447071 | source : cve@zscaler.com
https://help.zscaler.com/client-connector/client-connector-app-release-summary-2023?applicable_category=macOS&applicable_version=3.9&deployment_date=2023-01-25&id=1443546 | source : cve@zscaler.com
https://help.zscaler.com/zscaler-client-connector/client-connector-app-release-summary-2021?applicable_category=Windows&applicable_version=3.7&deployment_date=2021-11-26&id=1386541 | source : cve@zscaler.com


Vulnérabilité ID : CVE-2023-28094

Première publication le : 2023-06-22T21:15:09.163

Dernière modification le : 2023-06-23T13:03:39.067

Description :
Pega platform clients who are using versions 6.1 through 8.8.3 and have upgraded from a version prior to 8.x may be utilizing default credentials.

CVE ID : CVE-2023-28094

Source : security@pega.com

Score CVSS : 8.1

Références :
https://support.pega.com/support-doc/pega-security-advisory-%E2%80%93-c23-vulnerability-default-operators? | source : security@pega.com


Vulnérabilité ID : CVE-2023-32320

Première publication le : 2023-06-22T21:15:09.287

Dernière modification le : 2023-06-23T13:03:39.067

Description :
Nextcloud Server is a data storage system for Nextcloud, a self-hosted productivity platform. When multiple requests are sent in parallel, all of them were executed even if the amount of faulty requests succeeded the limit by the time the response was sent to the client. This allowed someone to send as many requests the server could handle in parallel to bruteforce protected details instead of the configured limit, default 8. Nextcloud Server versions 25.0.7 and 26.0.2 and Nextcloud Enterprise Server versions 21.0.9.12, 22.2.10.12, 23.0.12.7, 24.0.12.2, 25.0.7 and 26.0.2 contain patches for this issue.

CVE ID : CVE-2023-32320

Source : security-advisories@github.com

Score CVSS : 8.7

Références :
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-qphh-6xh7-vffg | source : security-advisories@github.com
https://github.com/nextcloud/server/pull/38274 | source : security-advisories@github.com
https://hackerone.com/reports/1918525 | source : security-advisories@github.com


Vulnérabilité ID : CVE-2023-28006

Première publication le : 2023-06-22T23:15:09.277

Dernière modification le : 2023-06-23T13:03:31.027

Description :
The OSD Bare Metal Server uses a cryptographic algorithm that is no longer considered sufficiently secure.

CVE ID : CVE-2023-28006

Source : psirt@hcl.com

Score CVSS : 7.0

Références :
https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0105601 | source : psirt@hcl.com


Vulnérabilité ID : CVE-2023-33141

Première publication le : 2023-06-23T02:15:09.513

Dernière modification le : 2023-06-23T13:03:31.027

Description :
Yet Another Reverse Proxy (YARP) Denial of Service Vulnerability

CVE ID : CVE-2023-33141

Source : secure@microsoft.com

Score CVSS : 7.5

Références :
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-33141 | source : secure@microsoft.com


Vulnérabilité ID : CVE-2023-28073

Première publication le : 2023-06-23T11:15:09.863

Dernière modification le : 2023-06-23T13:03:18.900

Description :
Dell BIOS contains an improper authentication vulnerability. A locally authenticated malicious user may potentially exploit this vulnerability by bypassing certain authentication mechanisms in order to elevate privileges on the system.

CVE ID : CVE-2023-28073

Source : security_alert@emc.com

Score CVSS : 8.2

Références :
https://www.dell.com/support/kbdoc/en-us/000213032/dsa-2023-160-dell-client | source : security_alert@emc.com


Vulnérabilité ID : CVE-2023-34012

Première publication le : 2023-06-23T12:15:09.687

Dernière modification le : 2023-06-23T13:03:18.900

Description :
Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Premium Addons for Elementor Premium Addons PRO plugin <= 2.8.24 versions.

CVE ID : CVE-2023-34012

Source : audit@patchstack.com

Score CVSS : 7.1

Références :
https://patchstack.com/database/vulnerability/premium-addons-pro/wordpress-premium-addons-pro-plugin-2-8-24-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve | source : audit@patchstack.com


Vulnérabilité ID : CVE-2023-34021

Première publication le : 2023-06-23T12:15:09.760

Dernière modification le : 2023-06-23T13:03:18.900

Description :
Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Andy Moyle Church Admin plugin <= 3.7.29 versions.

CVE ID : CVE-2023-34021

Source : audit@patchstack.com

Score CVSS : 7.1

Références :
https://patchstack.com/database/vulnerability/church-admin/wordpress-church-admin-plugin-3-7-29-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve | source : audit@patchstack.com


Vulnérabilité ID : CVE-2023-29100

Première publication le : 2023-06-23T13:15:10.350

Dernière modification le : 2023-06-23T15:14:22.530

Description :
Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Dream-Theme The7 plugin <= 11.6.0 versions.

CVE ID : CVE-2023-29100

Source : audit@patchstack.com

Score CVSS : 7.1

Références :
https://patchstack.com/database/vulnerability/dt-the7/wordpress-the7-theme-11-6-0-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve | source : audit@patchstack.com


Vulnérabilité ID : CVE-2022-47614

Première publication le : 2023-06-23T15:15:08.983

Dernière modification le : 2023-06-23T15:49:09.940

Description :
Unauth. SQL Injection (SQLi) vulnerability in InspireUI MStore API plugin <= 3.9.7 versions.

CVE ID : CVE-2022-47614

Source : audit@patchstack.com

Score CVSS : 7.5

Références :
https://patchstack.com/database/vulnerability/mstore-api/wordpress-mstore-api-plugin-3-9-7-sql-injection?_s_id=cve | source : audit@patchstack.com


Vulnérabilité ID : CVE-2023-34467

Première publication le : 2023-06-23T17:15:09.310

Dernière modification le : 2023-06-23T17:21:14.907

Description :
XWiki Platform is a generic wiki platform. Starting in version 3.5-milestone-1 and prior to versions 14.4.8, 14.10.4, and 15.0-rc-1, the mail obfuscation configuration was not fully taken into account. While the mail displayed to the end user was obfuscated, the rest response was also containing the mail unobfuscated and users were able to filter and sort on the unobfuscated, allowing them to infer the mail content. The consequence was the possibility to retrieve the email addresses of all users even when obfuscated. This has been patched in XWiki 14.4.8, 14.10.4, and 15.0-rc-1.

CVE ID : CVE-2023-34467

Source : security-advisories@github.com

Score CVSS : 7.5

Références :
https://github.com/xwiki/xwiki-platform/commit/71f889db9962df2d385f4298e29cfbc9050b828a#diff-5a739e5865b1f1ad9d79b724791be51b0095a0170cc078911c940478b13b949a | source : security-advisories@github.com
https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-7vr7-cghh-ch63 | source : security-advisories@github.com
https://jira.xwiki.org/browse/XWIKI-20333 | source : security-advisories@github.com


Vulnérabilité ID : CVE-2023-35151

Première publication le : 2023-06-23T17:15:09.457

Dernière modification le : 2023-06-23T17:21:14.907

Description :
XWiki Platform is a generic wiki platform. Starting in version 7.3-milestone-1 and prior to versions 14.4.8, 14.10.6, and 15.1, ny user can call a REST endpoint and obtain the obfuscated passwords, even when the mail obfuscation is activated. The issue has been patched in XWiki 14.4.8, 14.10.6, and 15.1. There is no known workaround.

CVE ID : CVE-2023-35151

Source : security-advisories@github.com

Score CVSS : 7.5

Références :
https://github.com/xwiki/xwiki-platform/commit/824cd742ecf5439971247da11bfe7e0ad2b10ede | source : security-advisories@github.com
https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-8g9c-c9cm-9c56 | source : security-advisories@github.com
https://jira.xwiki.org/browse/XWIKI-16138 | source : security-advisories@github.com


Vulnérabilité(s) MEDIUM [4.0, 6.9]

Vulnérabilité ID : CVE-2023-33842

Première publication le : 2023-06-22T02:15:48.857

Dernière modification le : 2023-06-22T12:51:30.407

Description :
IBM SPSS Modeler on Windows 17.0, 18.0, 18.2.2, 18.3, 18.4, and 18.5 requires the end user to have access to the server SSL key which could allow a local user to decrypt and obtain sensitive information. IBM X-Force ID: 256117.

CVE ID : CVE-2023-33842

Source : psirt@us.ibm.com

Score CVSS : 6.2

Références :
https://exchange.xforce.ibmcloud.com/vulnerabilities/256117 | source : psirt@us.ibm.com
https://https://www.ibm.com/support/pages/node/7004299 | source : psirt@us.ibm.com


Vulnérabilité ID : CVE-2023-26115

Première publication le : 2023-06-22T05:15:09.157

Dernière modification le : 2023-06-22T12:51:30.407

Description :
All versions of the package word-wrap are vulnerable to Regular Expression Denial of Service (ReDoS) due to the usage of an insecure regular expression within the result variable.

CVE ID : CVE-2023-26115

Source : report@snyk.io

Score CVSS : 5.3

Références :
https://github.com/jonschlinkert/word-wrap/blob/master/index.js%23L39 | source : report@snyk.io
https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-4058657 | source : report@snyk.io
https://security.snyk.io/vuln/SNYK-JS-WORDWRAP-3149973 | source : report@snyk.io


Vulnérabilité ID : CVE-2023-27413

Première publication le : 2023-06-22T08:15:09.173

Dernière modification le : 2023-06-22T12:51:30.407

Description :
Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in Shazzad Hossain Khan W4 Post List plugin <= 2.4.4 versions.

CVE ID : CVE-2023-27413

Source : audit@patchstack.com

Score CVSS : 6.5

Références :
https://patchstack.com/database/vulnerability/w4-post-list/wordpress-w4-post-list-plugin-2-4-2-cross-site-scripting-xss-vulnerability?_s_id=cve | source : audit@patchstack.com


Vulnérabilité ID : CVE-2023-27612

Première publication le : 2023-06-22T08:15:09.277

Dernière modification le : 2023-06-22T12:51:30.407

Description :
Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in Paul Ryley Site Reviews plugin <= 6.5.1 versions.

CVE ID : CVE-2023-27612

Source : audit@patchstack.com

Score CVSS : 6.5

Références :
https://patchstack.com/database/vulnerability/site-reviews/wordpress-site-reviews-plugin-6-5-1-cross-site-scripting-xss-vulnerability-2?_s_id=cve | source : audit@patchstack.com


Vulnérabilité ID : CVE-2023-27629

Première publication le : 2023-06-22T08:15:09.353

Dernière modification le : 2023-06-22T12:51:23.447

Description :
Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in Paul Ryley Site Reviews plugin <= 6.5.1 versions.

CVE ID : CVE-2023-27629

Source : audit@patchstack.com

Score CVSS : 6.5

Références :
https://patchstack.com/database/vulnerability/site-reviews/wordpress-site-reviews-plugin-6-5-1-cross-site-scripting-xss-vulnerability?_s_id=cve | source : audit@patchstack.com


Vulnérabilité ID : CVE-2023-27631

Première publication le : 2023-06-22T08:15:09.433

Dernière modification le : 2023-06-22T12:51:23.447

Description :
Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in mmrs151 Daily Prayer Time plugin <= 2023.05.04 versions.

CVE ID : CVE-2023-27631

Source : audit@patchstack.com

Score CVSS : 6.5

Références :
https://patchstack.com/database/vulnerability/daily-prayer-time-for-mosques/wordpress-daily-prayer-time-plugin-2023-02-21-cross-site-scripting-xss-vulnerability?_s_id=cve | source : audit@patchstack.com


Vulnérabilité ID : CVE-2023-27618

Première publication le : 2023-06-22T09:15:10.873

Dernière modification le : 2023-06-22T12:51:23.447

Description :
Auth. (editor+) Stored Cross-Site Scripting (XSS) vulnerability in AGILELOGIX Store Locator WordPress plugin <= 1.4.9 versions.

CVE ID : CVE-2023-27618

Source : audit@patchstack.com

Score CVSS : 5.9

Références :
https://patchstack.com/database/vulnerability/agile-store-locator/wordpress-store-locator-wordpress-plugin-1-4-9-cross-site-scripting-xss-vulnerability?_s_id=cve | source : audit@patchstack.com


Vulnérabilité ID : CVE-2023-28171

Première publication le : 2023-06-22T09:15:11.070

Dernière modification le : 2023-06-22T12:51:23.447

Description :
Auth. (subscriber+) Stored Cross-Site Scripting (XSS) vulnerability in WP Chill Brilliance theme <= 1.3.1 versions.

CVE ID : CVE-2023-28171

Source : audit@patchstack.com

Score CVSS : 5.4

Références :
https://patchstack.com/database/vulnerability/brilliance/wordpress-brilliance-theme-1-3-1-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve | source : audit@patchstack.com


Vulnérabilité ID : CVE-2023-28423

Première publication le : 2023-06-22T09:15:11.147

Dernière modification le : 2023-06-22T12:51:23.447

Description :
Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Prism Tech Studios Modern Footnotes plugin <= 1.4.15 versions.

CVE ID : CVE-2023-28423

Source : audit@patchstack.com

Score CVSS : 5.9

Références :
https://patchstack.com/database/vulnerability/modern-footnotes/wordpress-modern-footnotes-plugin-1-4-15-cross-site-scripting-xss-vulnerability?_s_id=cve | source : audit@patchstack.com


Vulnérabilité ID : CVE-2023-28496

Première publication le : 2023-06-22T09:15:11.217

Dernière modification le : 2023-06-22T12:51:23.447

Description :
Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in SMTP2GO – Email Made Easy plugin <= 1.4.2 versions.

CVE ID : CVE-2023-28496

Source : audit@patchstack.com

Score CVSS : 5.9

Références :
https://patchstack.com/database/vulnerability/smtp2go/wordpress-smtp2go-plugin-1-4-2-cross-site-scripting-xss-vulnerability?_s_id=cve | source : audit@patchstack.com


Vulnérabilité ID : CVE-2023-28534

Première publication le : 2023-06-22T09:15:11.297

Dernière modification le : 2023-06-22T12:51:23.447

Description :
Auth. (subscriber+) Stored Cross-Site Scripting (XSS) vulnerability in WP Job Portal WP Job Portal – A Complete Job Board plugin <= 2.0.0 versions.

CVE ID : CVE-2023-28534

Source : audit@patchstack.com

Score CVSS : 6.5

Références :
https://patchstack.com/database/vulnerability/wp-job-portal/wordpress-wp-job-portal-a-complete-job-board-plugin-1-1-9-cross-site-scripting-xss?_s_id=cve | source : audit@patchstack.com


Vulnérabilité ID : CVE-2023-28695

Première publication le : 2023-06-22T09:15:11.373

Dernière modification le : 2023-06-22T12:51:23.447

Description :
Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Drew Phillips VigilanTor plugin <= 1.3.10 versions.

CVE ID : CVE-2023-28695

Source : audit@patchstack.com

Score CVSS : 5.9

Références :
https://patchstack.com/database/vulnerability/vigilantor/wordpress-vigilantor-plugin-1-3-10-cross-site-scripting-xss-vulnerability?_s_id=cve | source : audit@patchstack.com


Vulnérabilité ID : CVE-2023-31213

Première publication le : 2023-06-22T11:15:09.537

Dernière modification le : 2023-06-22T12:51:23.447

Description :
Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in WPBakery Page Builder plugin <= 6.13.0 versions.

CVE ID : CVE-2023-31213

Source : audit@patchstack.com

Score CVSS : 6.5

Références :
https://patchstack.com/database/vulnerability/js_composer/wordpress-wpbakery-page-builder-plugin-6-13-0-contributor-cross-site-scripting-xss-vulnerability?_s_id=cve | source : audit@patchstack.com


Vulnérabilité ID : CVE-2023-35090

Première publication le : 2023-06-22T11:15:09.727

Dernière modification le : 2023-06-22T12:51:23.447

Description :
Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in StylemixThemes MasterStudy LMS WordPress Plugin – for Online Courses and Education plugin <= 3.0.7 versions.

CVE ID : CVE-2023-35090

Source : audit@patchstack.com

Score CVSS : 6.5

Références :
https://patchstack.com/database/vulnerability/masterstudy-lms-learning-management-system/wordpress-masterstudy-lms-plugin-3-0-7-cross-site-scripting-xss-vulnerability?_s_id=cve | source : audit@patchstack.com


Vulnérabilité ID : CVE-2023-23807

Première publication le : 2023-06-22T12:15:11.053

Dernière modification le : 2023-06-22T12:51:15.117

Description :
Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Qumos MojoPlug Slide Panel plugin <= 1.1.2 versions.

CVE ID : CVE-2023-23807

Source : audit@patchstack.com

Score CVSS : 5.9

Références :
https://patchstack.com/database/vulnerability/mojoplug-slide-panel/wordpress-mojoplug-slide-panel-plugin-1-1-2-cross-site-scripting-xss-vulnerability?_s_id=cve | source : audit@patchstack.com


Vulnérabilité ID : CVE-2023-23811

Première publication le : 2023-06-22T12:15:11.133

Dernière modification le : 2023-06-22T12:51:15.117

Description :
Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Neil Gee Smoothscroller plugin <= 1.0.0 versions.

CVE ID : CVE-2023-23811

Source : audit@patchstack.com

Score CVSS : 5.9

Références :
https://patchstack.com/database/vulnerability/smoothscroller/wordpress-smoothscroller-plugin-1-0-0-cross-site-scripting-xss-vulnerability?_s_id=cve | source : audit@patchstack.com


Vulnérabilité ID : CVE-2023-26534

Première publication le : 2023-06-22T12:15:11.207

Dernière modification le : 2023-06-22T12:51:15.117

Description :
Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in OneWebsite WP Repost plugin <= 0.1 versions.

CVE ID : CVE-2023-26534

Source : audit@patchstack.com

Score CVSS : 5.9

Références :
https://patchstack.com/database/vulnerability/wp-repost/wordpress-wp-repost-plugin-0-1-cross-site-scripting-xss-vulnerability?_s_id=cve | source : audit@patchstack.com


Vulnérabilité ID : CVE-2023-26539

Première publication le : 2023-06-22T12:15:11.277

Dernière modification le : 2023-06-22T12:51:15.117

Description :
Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Max Chirkov Advanced Text Widget plugin <= 2.1.2 versions.

CVE ID : CVE-2023-26539

Source : audit@patchstack.com

Score CVSS : 5.9

Références :
https://patchstack.com/database/vulnerability/advanced-text-widget/wordpress-advanced-text-widget-plugin-2-1-2-cross-site-scripting-xss-vulnerability?_s_id=cve | source : audit@patchstack.com


Vulnérabilité ID : CVE-2023-27452

Première publication le : 2023-06-22T12:15:11.350

Dernière modification le : 2023-06-22T12:51:15.117

Description :
Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Wow-Company Button Generator – easily Button Builder plugin <= 2.3.3 versions.

CVE ID : CVE-2023-27452

Source : audit@patchstack.com

Score CVSS : 5.9

Références :
https://patchstack.com/database/vulnerability/button-generation/wordpress-button-generator-plugin-2-3-3-cross-site-scripting-xss-vulnerability?_s_id=cve | source : audit@patchstack.com


Vulnérabilité ID : CVE-2023-28174

Première publication le : 2023-06-22T12:15:11.423

Dernière modification le : 2023-06-22T12:51:15.117

Description :
Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in eLightUp eRocket plugin <= 1.2.4 versions.

CVE ID : CVE-2023-28174

Source : audit@patchstack.com

Score CVSS : 5.9

Références :
https://patchstack.com/database/vulnerability/erocket/wordpress-erocket-plugin-1-2-4-cross-site-scripting-xss-vulnerability?_s_id=cve | source : audit@patchstack.com


Vulnérabilité ID : CVE-2023-28778

Première publication le : 2023-06-22T12:15:11.653

Dernière modification le : 2023-06-22T12:51:15.117

Description :
Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in BestWebSoft Pagination plugin <= 1.2.2 versions.

CVE ID : CVE-2023-28778

Source : audit@patchstack.com

Score CVSS : 5.9

Références :
https://patchstack.com/database/vulnerability/pagination/wordpress-pagination-by-bestwebsoft-1-2-2-cross-site-scripting-xss-vulnerability?_s_id=cve | source : audit@patchstack.com


Vulnérabilité ID : CVE-2023-30500

Première publication le : 2023-06-22T12:15:11.847

Dernière modification le : 2023-06-22T12:51:15.117

Description :
Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in WPForms WPForms Lite (wpforms-lite), WPForms WPForms Pro (wpforms) plugins <= 1.8.1.2 versions.

CVE ID : CVE-2023-30500

Source : audit@patchstack.com

Score CVSS : 5.8

Références :
https://patchstack.com/database/vulnerability/wpforms-lite/wordpress-wpforms-lite-plugin-1-8-1-2-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve | source : audit@patchstack.com
https://patchstack.com/database/vulnerability/wpforms/wordpress-wpforms-pro-plugin-1-8-1-2-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve | source : audit@patchstack.com


Vulnérabilité ID : CVE-2023-35093

Première publication le : 2023-06-22T12:15:12.060

Dernière modification le : 2023-06-22T12:51:15.117

Description :
Broken Access Control vulnerability in StylemixThemes MasterStudy LMS WordPress Plugin – for Online Courses and Education plugin <= 3.0.8 versions allows any logged-in users, such as subscribers to view the "Orders" of the plugin and get the data related to the order like email, username, and more.

CVE ID : CVE-2023-35093

Source : audit@patchstack.com

Score CVSS : 6.5

Références :
https://patchstack.com/database/vulnerability/masterstudy-lms-learning-management-system/wordpress-masterstudy-lms-plugin-3-0-7-broken-access-control-vulnerability?_s_id=cve | source : audit@patchstack.com


Vulnérabilité ID : CVE-2023-35917

Première publication le : 2023-06-22T12:15:12.137

Dernière modification le : 2023-06-22T12:51:15.117

Description :
Cross-Site Request Forgery (CSRF) vulnerability in WooCommerce PayPal Payments plugin <= 2.0.4 versions.

CVE ID : CVE-2023-35917

Source : audit@patchstack.com

Score CVSS : 4.3

Références :
https://patchstack.com/database/vulnerability/woocommerce-paypal-payments/wordpress-woocommerce-paypal-payments-plugin-2-0-4-cross-site-request-forgery-csrf-vulnerability?_s_id=cve | source : audit@patchstack.com


Vulnérabilité ID : CVE-2023-20896

Première publication le : 2023-06-22T13:15:09.590

Dernière modification le : 2023-06-22T14:49:18.643

Description :
The VMware vCenter Server contains an out-of-bounds read vulnerability in the implementation of the DCERPC protocol. A malicious actor with network access to vCenter Server may trigger an out-of-bounds read by sending a specially crafted packet leading to denial-of-service of certain services (vmcad, vmdird, and vmafdd).

CVE ID : CVE-2023-20896

Source : security@vmware.com

Score CVSS : 5.9

Références :
https://www.vmware.com/security/advisories/VMSA-2023-0014.html | source : security@vmware.com


Vulnérabilité ID : CVE-2023-25499

Première publication le : 2023-06-22T13:15:09.660

Dernière modification le : 2023-06-22T14:49:18.643

Description :
When adding non-visible components to the UI in server side, content is sent to the browser in Vaadin 10.0.0 through 10.0.22, 11.0.0 through 14.10.0, 15.0.0 through 22.0.28, 23.0.0 through 23.3.12, 24.0.0 through 24.0.5 and 24.1.0.alpha1 to 24.1.0.beta1, resulting in potential information disclosure.

CVE ID : CVE-2023-25499

Source : security@vaadin.com

Score CVSS : 5.7

Références :
https://github.com/vaadin/flow/pull/15885 | source : security@vaadin.com
https://vaadin.com/security/CVE-2023-25499 | source : security@vaadin.com


Vulnérabilité ID : CVE-2023-28418

Première publication le : 2023-06-22T13:15:09.797

Dernière modification le : 2023-06-22T14:49:18.643

Description :
Auth. (subscriber+) Reflected Cross-Site Scripting (XSS) vulnerability in Yudlee themes Mediciti Lite theme <= 1.3.0 versions.

CVE ID : CVE-2023-28418

Source : audit@patchstack.com

Score CVSS : 5.4

Références :
https://patchstack.com/database/vulnerability/mediciti-lite/wordpress-mediciti-lite-theme-1-3-0-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve | source : audit@patchstack.com


Vulnérabilité ID : CVE-2023-28774

Première publication le : 2023-06-22T13:15:09.870

Dernière modification le : 2023-06-22T14:49:18.643

Description :
Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Grade Us, Inc. Review Stream plugin <= 1.6.5 versions.

CVE ID : CVE-2023-28774

Source : audit@patchstack.com

Score CVSS : 5.9

Références :
https://patchstack.com/database/vulnerability/review-stream/wordpress-review-stream-plugin-1-6-5-cross-site-scripting-xss?_s_id=cve | source : audit@patchstack.com


Vulnérabilité ID : CVE-2023-32239

Première publication le : 2023-06-22T13:15:09.947

Dernière modification le : 2023-06-22T14:49:18.643

Description :
Auth. (subscriber+) Stored Cross-Site Scripting (XSS) vulnerability in xtemos WoodMart theme <= 7.2.1 versions.

CVE ID : CVE-2023-32239

Source : audit@patchstack.com

Score CVSS : 5.4

Références :
https://patchstack.com/database/vulnerability/woodmart/wordpress-woodmart-theme-7-2-1-cross-site-scripting-xss-vulnerability?_s_id=cve | source : audit@patchstack.com


Vulnérabilité ID : CVE-2023-33323

Première publication le : 2023-06-22T13:15:10.093

Dernière modification le : 2023-06-22T14:49:18.643

Description :
Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Repute InfoSystems ARMember plugin <= 4.0.2 versions.

CVE ID : CVE-2023-33323

Source : audit@patchstack.com

Score CVSS : 5.9

Références :
https://patchstack.com/database/vulnerability/armember-membership/wordpress-armember-plugin-4-0-2-cross-site-scripting-xss-vulnerability?_s_id=cve | source : audit@patchstack.com


Vulnérabilité ID : CVE-2023-34006

Première publication le : 2023-06-22T13:15:10.243

Dernière modification le : 2023-06-22T14:49:18.643

Description :
Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Marco Milesi Telegram Bot & Channel plugin <= 3.6.2 versions.

CVE ID : CVE-2023-34006

Source : audit@patchstack.com

Score CVSS : 5.9

Références :
https://patchstack.com/database/vulnerability/telegram-bot/wordpress-telegram-bot-channel-plugin-3-6-2-cross-site-scripting-xss-vulnerability?_s_id=cve | source : audit@patchstack.com


Vulnérabilité ID : CVE-2023-34368

Première publication le : 2023-06-22T13:15:10.313

Dernière modification le : 2023-06-22T14:49:18.643

Description :
Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Kanban for WordPress Kanban Boards for WordPress plugin <= 2.5.20 versions.

CVE ID : CVE-2023-34368

Source : audit@patchstack.com

Score CVSS : 5.9

Références :
https://patchstack.com/database/vulnerability/kanban/wordpress-kanban-boards-for-wordpress-plugin-2-5-20-cross-site-scripting-xss-vulnerability-2?_s_id=cve | source : audit@patchstack.com


Vulnérabilité ID : CVE-2023-34028

Première publication le : 2023-06-22T15:15:13.403

Dernière modification le : 2023-06-22T20:05:36.757

Description :
Cross-Site Request Forgery (CSRF) vulnerability in realmag777 WOLF – WordPress Posts Bulk Editor and Manager Professional plugin <= 1.0.7 versions.

CVE ID : CVE-2023-34028

Source : audit@patchstack.com

Score CVSS : 4.3

Références :
https://patchstack.com/database/vulnerability/bulk-editor/wordpress-wolf-wordpress-posts-bulk-editor-and-manager-professional-plugin-1-0-7-cross-site-request-forgery-csrf-vulnerability?_s_id=cve | source : audit@patchstack.com


Vulnérabilité ID : CVE-2023-34170

Première publication le : 2023-06-22T15:15:13.493

Dernière modification le : 2023-06-22T20:05:36.757

Description :
Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in WP Overnight Quick/Bulk Order Form for WooCommerce plugin <= 3.5.7 versions.

CVE ID : CVE-2023-34170

Source : audit@patchstack.com

Score CVSS : 5.9

Références :
https://patchstack.com/database/vulnerability/woocommerce-bulk-order-form/wordpress-quick-bulk-order-form-for-woocommerce-plugin-3-5-7-cross-site-scripting-xss-vulnerability?_s_id=cve | source : audit@patchstack.com


Vulnérabilité ID : CVE-2023-3114

Première publication le : 2023-06-22T22:15:09.197

Dernière modification le : 2023-06-23T13:03:31.027

Description :
Terraform Enterprise since v202207-1 did not properly implement authorization rules for agent pools, allowing the workspace to be targeted by unauthorized agents. This authorization flaw could potentially allow a workspace to access resources from a separate, higher-privileged workspace in the same organization that targeted an agent pool. This vulnerability, CVE-2023-3114, is fixed in Terraform Enterprise v202306-1.

CVE ID : CVE-2023-3114

Source : security@hashicorp.com

Score CVSS : 5.0

Références :
https://discuss.hashicorp.com/t/hcsec-2023-18-terraform-enterprise-agent-pool-controls-allowed-unauthorized-workspaces-to-target-an-agent-pool/55329 | source : security@hashicorp.com


Vulnérabilité ID : CVE-2023-34241

Première publication le : 2023-06-22T23:15:09.493

Dernière modification le : 2023-06-23T13:03:31.027

Description :
OpenPrinting CUPS is a standards-based, open source printing system for Linux and other Unix-like operating systems. Starting in version 2.0.0 and prior to version 2.4.6, CUPS logs data of free memory to the logging service AFTER the connection has been closed, when it should have logged the data right before. This is a use-after-free bug that impacts the entire cupsd process. The exact cause of this issue is the function `httpClose(con->http)` being called in `scheduler/client.c`. The problem is that httpClose always, provided its argument is not null, frees the pointer at the end of the call, only for cupsdLogClient to pass the pointer to httpGetHostname. This issue happens in function `cupsdAcceptClient` if LogLevel is warn or higher and in two scenarios: there is a double-lookup for the IP Address (HostNameLookups Double is set in `cupsd.conf`) which fails to resolve, or if CUPS is compiled with TCP wrappers and the connection is refused by rules from `/etc/hosts.allow` and `/etc/hosts.deny`. Version 2.4.6 has a patch for this issue.

CVE ID : CVE-2023-34241

Source : security-advisories@github.com

Score CVSS : 5.3

Références :
https://github.com/OpenPrinting/cups/commit/9809947a959e18409dcf562a3466ef246cb90cb2 | source : security-advisories@github.com
https://github.com/OpenPrinting/cups/releases/tag/v2.4.6 | source : security-advisories@github.com
https://github.com/OpenPrinting/cups/security/advisories/GHSA-qjgh-5hcq-5f25 | source : security-advisories@github.com


Vulnérabilité ID : CVE-2023-34462

Première publication le : 2023-06-22T23:15:09.573

Dernière modification le : 2023-06-23T13:03:31.027

Description :
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. The `SniHandler` can allocate up to 16MB of heap for each channel during the TLS handshake. When the handler or the channel does not have an idle timeout, it can be used to make a TCP server using the `SniHandler` to allocate 16MB of heap. The `SniHandler` class is a handler that waits for the TLS handshake to configure a `SslHandler` according to the indicated server name by the `ClientHello` record. For this matter it allocates a `ByteBuf` using the value defined in the `ClientHello` record. Normally the value of the packet should be smaller than the handshake packet but there are not checks done here and the way the code is written, it is possible to craft a packet that makes the `SslClientHelloHandler`. This vulnerability has been fixed in version 4.1.94.Final.

CVE ID : CVE-2023-34462

Source : security-advisories@github.com

Score CVSS : 6.5

Références :
https://github.com/netty/netty/commit/535da17e45201ae4278c0479e6162bb4127d4c32 | source : security-advisories@github.com
https://github.com/netty/netty/security/advisories/GHSA-6mjq-h674-j845 | source : security-advisories@github.com


Vulnérabilité ID : CVE-2023-25936

Première publication le : 2023-06-23T09:15:09.290

Dernière modification le : 2023-06-23T13:03:31.027

Description :
Dell BIOS contains an improper input validation vulnerability. A local authenticated malicious user with administrator privileges may potentially exploit this vulnerability in order to modify a UEFI variable.

CVE ID : CVE-2023-25936

Source : security_alert@emc.com

Score CVSS : 5.1

Références :
https://www.dell.com/support/kbdoc/en-us/000212204/dsa-2023-099-dell-client-bios-security-update-for-multiple-improper-input-validation-vulnerabilities | source : security_alert@emc.com


Vulnérabilité ID : CVE-2023-25937

Première publication le : 2023-06-23T10:15:09.557

Dernière modification le : 2023-06-23T13:03:31.027

Description :
Dell BIOS contains an improper input validation vulnerability. A local authenticated malicious user with administrator privileges may potentially exploit this vulnerability in order to modify a UEFI variable.

CVE ID : CVE-2023-25937

Source : security_alert@emc.com

Score CVSS : 5.1

Références :
https://www.dell.com/support/kbdoc/en-us/000212204/dsa-2023-099-dell-client-bios-security-update-for-multiple-improper-input-validation-vulnerabilities | source : security_alert@emc.com


Vulnérabilité ID : CVE-2023-28028

Première publication le : 2023-06-23T10:15:09.637

Dernière modification le : 2023-06-23T13:03:31.027

Description :
Dell BIOS contains an improper input validation vulnerability. A local authenticated malicious user with administrator privileges may potentially exploit this vulnerability in order to modify a UEFI variable.

CVE ID : CVE-2023-28028

Source : security_alert@emc.com

Score CVSS : 5.1

Références :
https://www.dell.com/support/kbdoc/en-us/000212204/dsa-2023-099-dell-client-bios-security-update-for-multiple-improper-input-validation-vulnerabilities | source : security_alert@emc.com


Vulnérabilité ID : CVE-2023-28029

Première publication le : 2023-06-23T10:15:09.710

Dernière modification le : 2023-06-23T13:03:24.293

Description :
Dell BIOS contains an improper input validation vulnerability. A local authenticated malicious user with administrator privileges may potentially exploit this vulnerability in order to modify a UEFI variable

CVE ID : CVE-2023-28029

Source : security_alert@emc.com

Score CVSS : 5.1

Références :
https://www.dell.com/support/kbdoc/en-us/000212204/dsa-2023-099-dell-client-bios-security-update-for-multiple-improper-input-validation-vulnerabilities | source : security_alert@emc.com


Vulnérabilité ID : CVE-2023-28030

Première publication le : 2023-06-23T10:15:09.780

Dernière modification le : 2023-06-23T13:03:24.293

Description :
Dell BIOS contains an improper input validation vulnerability. A local authenticated malicious user with administrator privileges may potentially exploit this vulnerability in order to modify a UEFI variable.

CVE ID : CVE-2023-28030

Source : security_alert@emc.com

Score CVSS : 5.1

Références :
https://www.dell.com/support/kbdoc/en-us/000212204/dsa-2023-099-dell-client-bios-security-update-for-multiple-improper-input-validation-vulnerabilities | source : security_alert@emc.com


Vulnérabilité ID : CVE-2023-28032

Première publication le : 2023-06-23T10:15:09.853

Dernière modification le : 2023-06-23T13:03:24.293

Description :
Dell BIOS contains an improper input validation vulnerability. A local authenticated malicious user with administrator privileges may potentially exploit this vulnerability in order to modify a UEFI variable.

CVE ID : CVE-2023-28032

Source : security_alert@emc.com

Score CVSS : 5.1

Références :
https://www.dell.com/support/kbdoc/en-us/000212204/dsa-2023-099-dell-client-bios-security-update-for-multiple-improper-input-validation-vulnerabilities | source : security_alert@emc.com


Vulnérabilité ID : CVE-2023-28033

Première publication le : 2023-06-23T10:15:09.927

Dernière modification le : 2023-06-23T13:03:24.293

Description :
Dell BIOS contains an improper input validation vulnerability. A local authenticated malicious user with administrator privileges may potentially exploit this vulnerability in order to modify a UEFI variable.

CVE ID : CVE-2023-28033

Source : security_alert@emc.com

Score CVSS : 5.1

Références :
https://www.dell.com/support/kbdoc/en-us/000212204/dsa-2023-099-dell-client-bios-security-update-for-multiple-improper-input-validation-vulnerabilities | source : security_alert@emc.com


Vulnérabilité ID : CVE-2023-28035

Première publication le : 2023-06-23T10:15:10.000

Dernière modification le : 2023-06-23T13:03:24.293

Description :
Dell BIOS contains an improper input validation vulnerability. A local authenticated malicious user with administrator privileges may potentially exploit this vulnerability in order to modify a UEFI variable.

CVE ID : CVE-2023-28035

Source : security_alert@emc.com

Score CVSS : 5.1

Références :
https://www.dell.com/support/kbdoc/en-us/000212204/dsa-2023-099-dell-client-bios-security-update-for-multiple-improper-input-validation-vulnerabilities | source : security_alert@emc.com


Vulnérabilité ID : CVE-2023-28039

Première publication le : 2023-06-23T10:15:10.067

Dernière modification le : 2023-06-23T13:03:24.293

Description :
Dell BIOS contains an improper input validation vulnerability. A local authenticated malicious user with administrator privileges may potentially exploit this vulnerability in order to modify a UEFI variable.

CVE ID : CVE-2023-28039

Source : security_alert@emc.com

Score CVSS : 5.1

Références :
https://www.dell.com/support/kbdoc/en-us/000212204/dsa-2023-099-dell-client-bios-security-update-for-multiple-improper-input-validation-vulnerabilities | source : security_alert@emc.com


Vulnérabilité ID : CVE-2023-28040

Première publication le : 2023-06-23T10:15:10.137

Dernière modification le : 2023-06-23T13:03:24.293

Description :
Dell BIOS contains an improper input validation vulnerability. A local authenticated malicious user with administrator privileges may potentially exploit this vulnerability in order to modify a UEFI variable.

CVE ID : CVE-2023-28040

Source : security_alert@emc.com

Score CVSS : 5.1

Références :
https://www.dell.com/support/kbdoc/en-us/000212204/dsa-2023-099-dell-client-bios-security-update-for-multiple-improper-input-validation-vulnerabilities | source : security_alert@emc.com


Vulnérabilité ID : CVE-2023-28041

Première publication le : 2023-06-23T10:15:10.207

Dernière modification le : 2023-06-23T13:03:24.293

Description :
Dell BIOS contains an improper input validation vulnerability. A local authenticated malicious user with administrator privileges may potentially exploit this vulnerability in order to modify a UEFI variable.

CVE ID : CVE-2023-28041

Source : security_alert@emc.com

Score CVSS : 5.1

Références :
https://www.dell.com/support/kbdoc/en-us/000212204/dsa-2023-099-dell-client-bios-security-update-for-multiple-improper-input-validation-vulnerabilities | source : security_alert@emc.com


Vulnérabilité ID : CVE-2023-28042

Première publication le : 2023-06-23T10:15:10.280

Dernière modification le : 2023-06-23T13:03:24.293

Description :
Dell BIOS contains an improper input validation vulnerability. A local authenticated malicious user with administrator privileges may potentially exploit this vulnerability in order to modify a UEFI variable.

CVE ID : CVE-2023-28042

Source : security_alert@emc.com

Score CVSS : 5.1

Références :
https://www.dell.com/support/kbdoc/en-us/000212204/dsa-2023-099-dell-client-bios-security-update-for-multiple-improper-input-validation-vulnerabilities | source : security_alert@emc.com


Vulnérabilité ID : CVE-2023-28052

Première publication le : 2023-06-23T10:15:10.353

Dernière modification le : 2023-06-23T13:03:24.293

Description :
Dell BIOS contains an improper input validation vulnerability. A local authenticated malicious user with administrator privileges may potentially exploit this vulnerability in order to modify a UEFI variable.

CVE ID : CVE-2023-28052

Source : security_alert@emc.com

Score CVSS : 5.1

Références :
https://www.dell.com/support/kbdoc/en-us/000212204/dsa-2023-099-dell-client-bios-security-update-for-multiple-improper-input-validation-vulnerabilities | source : security_alert@emc.com


Vulnérabilité ID : CVE-2023-28054

Première publication le : 2023-06-23T10:15:10.420

Dernière modification le : 2023-06-23T13:03:24.293

Description :
Dell BIOS contains an improper input validation vulnerability. A local authenticated malicious user with administrator privileges may potentially exploit this vulnerability in order to modify a UEFI variable.

CVE ID : CVE-2023-28054

Source : security_alert@emc.com

Score CVSS : 5.1

Références :
https://www.dell.com/support/kbdoc/en-us/000212204/dsa-2023-099-dell-client-bios-security-update-for-multiple-improper-input-validation-vulnerabilities | source : security_alert@emc.com


Vulnérabilité ID : CVE-2023-28056

Première publication le : 2023-06-23T10:15:10.490

Dernière modification le : 2023-06-23T13:03:24.293

Description :
Dell BIOS contains an improper input validation vulnerability. A local authenticated malicious user with administrator privileges may potentially exploit this vulnerability in order to modify a UEFI variable.

CVE ID : CVE-2023-28056

Source : security_alert@emc.com

Score CVSS : 5.1

Références :
https://www.dell.com/support/kbdoc/en-us/000212204/dsa-2023-099-dell-client-bios-security-update-for-multiple-improper-input-validation-vulnerabilities | source : security_alert@emc.com


Vulnérabilité ID : CVE-2023-28059

Première publication le : 2023-06-23T10:15:10.563

Dernière modification le : 2023-06-23T13:03:24.293

Description :
Dell BIOS contains an improper input validation vulnerability. A local authenticated malicious user with administrator privileges may potentially exploit this vulnerability in order to modify a UEFI variable.

CVE ID : CVE-2023-28059

Source : security_alert@emc.com

Score CVSS : 5.1

Références :
https://www.dell.com/support/kbdoc/en-us/000212204/dsa-2023-099-dell-client-bios-security-update-for-multiple-improper-input-validation-vulnerabilities | source : security_alert@emc.com


Vulnérabilité ID : CVE-2023-28061

Première publication le : 2023-06-23T10:15:10.630

Dernière modification le : 2023-06-23T13:03:24.293

Description :
Dell BIOS contains an improper input validation vulnerability. A local authenticated malicious user with administrator privileges may potentially exploit this vulnerability in order to modify a UEFI variable.

CVE ID : CVE-2023-28061

Source : security_alert@emc.com

Score CVSS : 5.1

Références :
https://www.dell.com/support/kbdoc/en-us/000212204/dsa-2023-099-dell-client-bios-security-update-for-multiple-improper-input-validation-vulnerabilities | source : security_alert@emc.com


Vulnérabilité ID : CVE-2023-3380

Première publication le : 2023-06-23T10:15:10.717

Dernière modification le : 2023-06-23T13:03:24.293

Description :
A vulnerability classified as critical has been found in Wavlink WN579X3 up to 20230615. Affected is an unknown function of the file /cgi-bin/adm.cgi of the component Ping Test. The manipulation of the argument pingIp leads to injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-232236. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

CVE ID : CVE-2023-3380

Source : cna@vuldb.com

Score CVSS : 4.7

Références :
https://github.com/sleepyvv/vul_report/blob/main/WAVLINK/WAVLINK-WN579X3-RCE.md | source : cna@vuldb.com
https://vuldb.com/?ctiid.232236 | source : cna@vuldb.com
https://vuldb.com/?id.232236 | source : cna@vuldb.com


Vulnérabilité ID : CVE-2023-25938

Première publication le : 2023-06-23T11:15:08.997

Dernière modification le : 2023-06-23T13:03:24.293

Description :
Dell BIOS contains an improper input validation vulnerability. A local authenticated malicious user with administrator privileges may potentially exploit this vulnerability in order to modify a UEFI variable.

CVE ID : CVE-2023-25938

Source : security_alert@emc.com

Score CVSS : 5.1

Références :
https://www.dell.com/support/kbdoc/en-us/000212204/dsa-2023-099-dell-client-bios-security-update-for-multiple-improper-input-validation-vulnerabilities | source : security_alert@emc.com


Vulnérabilité ID : CVE-2023-28026

Première publication le : 2023-06-23T11:15:09.073

Dernière modification le : 2023-06-23T13:03:24.293

Description :
Dell BIOS contains an improper input validation vulnerability. A local authenticated malicious user with administrator privileges may potentially exploit this vulnerability in order to modify a UEFI variable.

CVE ID : CVE-2023-28026

Source : security_alert@emc.com

Score CVSS : 5.1

Références :
https://www.dell.com/support/kbdoc/en-us/000212204/dsa-2023-099-dell-client-bios-security-update-for-multiple-improper-input-validation-vulnerabilities | source : security_alert@emc.com


Vulnérabilité ID : CVE-2023-28027

Première publication le : 2023-06-23T11:15:09.143

Dernière modification le : 2023-06-23T13:03:24.293

Description :
Dell BIOS contains an improper input validation vulnerability. A local authenticated malicious user with administrator privileges may potentially exploit this vulnerability in order to modify a UEFI variable.

CVE ID : CVE-2023-28027

Source : security_alert@emc.com

Score CVSS : 5.1

Références :
https://www.dell.com/support/kbdoc/en-us/000212204/dsa-2023-099-dell-client-bios-security-update-for-multiple-improper-input-validation-vulnerabilities | source : security_alert@emc.com


Vulnérabilité ID : CVE-2023-28031

Première publication le : 2023-06-23T11:15:09.210

Dernière modification le : 2023-06-23T13:03:18.900

Description :
Dell BIOS contains an improper input validation vulnerability. A local authenticated malicious user with administrator privileges may potentially exploit this vulnerability in order to modify a UEFI variable.

CVE ID : CVE-2023-28031

Source : security_alert@emc.com

Score CVSS : 5.1

Références :
https://www.dell.com/support/kbdoc/en-us/000212204/dsa-2023-099-dell-client-bios-security-update-for-multiple-improper-input-validation-vulnerabilities | source : security_alert@emc.com


Vulnérabilité ID : CVE-2023-28034

Première publication le : 2023-06-23T11:15:09.280

Dernière modification le : 2023-06-23T13:03:18.900

Description :
Dell BIOS contains an improper input validation vulnerability. A local authenticated malicious user with administrator privileges may potentially exploit this vulnerability in order to modify a UEFI variable.

CVE ID : CVE-2023-28034

Source : security_alert@emc.com

Score CVSS : 5.1

Références :
https://www.dell.com/support/kbdoc/en-us/000212204/dsa-2023-099-dell-client-bios-security-update-for-multiple-improper-input-validation-vulnerabilities | source : security_alert@emc.com


Vulnérabilité ID : CVE-2023-28036

Première publication le : 2023-06-23T11:15:09.347

Dernière modification le : 2023-06-23T13:03:18.900

Description :
Dell BIOS contains an improper input validation vulnerability. A local authenticated malicious user with administrator privileges may potentially exploit this vulnerability in order to modify a UEFI variable.

CVE ID : CVE-2023-28036

Source : security_alert@emc.com

Score CVSS : 5.1

Références :
https://www.dell.com/support/kbdoc/en-us/000212204/dsa-2023-099-dell-client-bios-security-update-for-multiple-improper-input-validation-vulnerabilities | source : security_alert@emc.com


Vulnérabilité ID : CVE-2023-28044

Première publication le : 2023-06-23T11:15:09.417

Dernière modification le : 2023-06-23T13:03:18.900

Description :
Dell BIOS contains an improper input validation vulnerability. A local authenticated malicious user with administrator privileges may potentially exploit this vulnerability in order to modify a UEFI variable.

CVE ID : CVE-2023-28044

Source : security_alert@emc.com

Score CVSS : 5.1

Références :
https://www.dell.com/support/kbdoc/en-us/000212204/dsa-2023-099-dell-client-bios-security-update-for-multiple-improper-input-validation-vulnerabilities | source : security_alert@emc.com


Vulnérabilité ID : CVE-2023-28050

Première publication le : 2023-06-23T11:15:09.490

Dernière modification le : 2023-06-23T13:03:18.900

Description :
Dell BIOS contains an improper input validation vulnerability. A local authenticated malicious user with administrator privileges may potentially exploit this vulnerability in order to modify a UEFI variable.

CVE ID : CVE-2023-28050

Source : security_alert@emc.com

Score CVSS : 5.1

Références :
https://www.dell.com/support/kbdoc/en-us/000212204/dsa-2023-099-dell-client-bios-security-update-for-multiple-improper-input-validation-vulnerabilities | source : security_alert@emc.com


Vulnérabilité ID : CVE-2023-28058

Première publication le : 2023-06-23T11:15:09.560

Dernière modification le : 2023-06-23T13:03:18.900

Description :
Dell BIOS contains an improper input validation vulnerability. A local authenticated malicious user with administrator privileges may potentially exploit this vulnerability in order to modify a UEFI variable.

CVE ID : CVE-2023-28058

Source : security_alert@emc.com

Score CVSS : 5.1

Références :
https://www.dell.com/support/kbdoc/en-us/000212204/dsa-2023-099-dell-client-bios-security-update-for-multiple-improper-input-validation-vulnerabilities | source : security_alert@emc.com


Vulnérabilité ID : CVE-2023-28060

Première publication le : 2023-06-23T11:15:09.630

Dernière modification le : 2023-06-23T13:03:18.900

Description :
Dell BIOS contains an improper input validation vulnerability. A local authenticated malicious user with administrator privileges may potentially exploit this vulnerability in order to modify a UEFI variable.

CVE ID : CVE-2023-28060

Source : security_alert@emc.com

Score CVSS : 5.1

Références :
https://www.dell.com/support/kbdoc/en-us/000212204/dsa-2023-099-dell-client-bios-security-update-for-multiple-improper-input-validation-vulnerabilities | source : security_alert@emc.com


Vulnérabilité ID : CVE-2023-28071

Première publication le : 2023-06-23T11:15:09.790

Dernière modification le : 2023-06-23T13:03:18.900

Description :
Dell Command | Update, Dell Update, and Alienware Update versions 4.9.0, A01 and prior contain an Insecure Operation on Windows Junction / Mount Point vulnerability. A local malicious user could potentially exploit this vulnerability to create arbitrary folder leading to permanent Denial of Service (DOS).

CVE ID : CVE-2023-28071

Source : security_alert@emc.com

Score CVSS : 6.3

Références :
https://www.dell.com/support/kbdoc/en-us/000213546/dsa-2023-170-dell-command-update | source : security_alert@emc.com


Vulnérabilité ID : CVE-2023-32480

Première publication le : 2023-06-23T11:15:09.937

Dernière modification le : 2023-06-23T13:03:18.900

Description :
Dell BIOS contains an Improper Input Validation vulnerability. An unauthenticated physical attacker may potentially exploit this vulnerability to perform arbitrary code execution.

CVE ID : CVE-2023-32480

Source : security_alert@emc.com

Score CVSS : 6.8

Références :
https://www.dell.com/support/kbdoc/en-us/000214779/dsa-2023-175-dell-client-bios-security-update-for-an-improper-input-validation-vulnerability | source : security_alert@emc.com


Vulnérabilité ID : CVE-2023-3383

Première publication le : 2023-06-23T11:15:10.030

Dernière modification le : 2023-06-23T13:03:18.900

Description :
A vulnerability, which was classified as critical, was found in SourceCodester Game Result Matrix System 1.0. This affects an unknown part of the file /dipam/athlete-profile.php of the component GET Parameter Handler. The manipulation of the argument id leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-232239.

CVE ID : CVE-2023-3383

Source : cna@vuldb.com

Score CVSS : 6.3

Références :
https://github.com/M9KJ-TEAM/CVEReport/blob/main/SQL2.md | source : cna@vuldb.com
https://vuldb.com/?ctiid.232239 | source : cna@vuldb.com
https://vuldb.com/?id.232239 | source : cna@vuldb.com


Vulnérabilité ID : CVE-2023-28065

Première publication le : 2023-06-23T12:15:09.340

Dernière modification le : 2023-06-23T13:03:18.900

Description :
Dell Command | Update, Dell Update, and Alienware Update versions 4.8.0 and prior contain an Insecure Operation on Windows Junction / Mount Point vulnerability. A local malicious user could potentially exploit this vulnerability leading to privilege escalation.

CVE ID : CVE-2023-28065

Source : security_alert@emc.com

Score CVSS : 6.7

Références :
https://www.dell.com/support/kbdoc/en-us/000212574/dsa-2023-146 | source : security_alert@emc.com


Vulnérabilité ID : CVE-2023-35048

Première publication le : 2023-06-23T12:15:09.833

Dernière modification le : 2023-06-23T13:03:18.900

Description :
Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in MagePeople Team Booking and Rental Manager for Bike plugin <= 1.2.1 versions.

CVE ID : CVE-2023-35048

Source : audit@patchstack.com

Score CVSS : 5.9

Références :
https://patchstack.com/database/vulnerability/booking-and-rental-manager-for-woocommerce/wordpress-booking-and-rental-manager-plugin-1-2-1-cross-site-scripting-xss-vulnerability?_s_id=cve | source : audit@patchstack.com


Vulnérabilité ID : CVE-2023-27427

Première publication le : 2023-06-23T13:15:10.130

Dernière modification le : 2023-06-23T15:14:22.530

Description :
Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in NTZApps CRM Memberships plugin <= 1.6 versions.

CVE ID : CVE-2023-27427

Source : audit@patchstack.com

Score CVSS : 5.9

Références :
https://patchstack.com/database/vulnerability/crm-memberships/wordpress-crm-memberships-plugin-1-6-cross-site-scripting-xss-vulnerability?_s_id=cve | source : audit@patchstack.com


Vulnérabilité ID : CVE-2023-28751

Première publication le : 2023-06-23T13:15:10.277

Dernière modification le : 2023-06-23T15:14:22.530

Description :
Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Wpmet Wp Ultimate Review plugin <= 2.0.3 versions.

CVE ID : CVE-2023-28751

Source : audit@patchstack.com

Score CVSS : 5.9

Références :
https://patchstack.com/database/vulnerability/wp-ultimate-review/wordpress-wp-ultimate-review-plugin-2-0-3-cross-site-scripting-xss-vulnerability?_s_id=cve | source : audit@patchstack.com


Vulnérabilité ID : CVE-2023-32580

Première publication le : 2023-06-23T13:15:10.427

Dernière modification le : 2023-06-23T15:14:22.530

Description :
Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in WPExperts Password Protected plugin <= 2.6.2 versions.

CVE ID : CVE-2023-32580

Source : audit@patchstack.com

Score CVSS : 5.9

Références :
https://patchstack.com/database/vulnerability/password-protected/wordpress-password-protected-plugin-2-6-2-cross-site-scripting-xss-vulnerability?_s_id=cve | source : audit@patchstack.com


Vulnérabilité ID : CVE-2023-3302

Première publication le : 2023-06-23T13:15:10.517

Dernière modification le : 2023-06-23T15:14:22.530

Description :
Improper Neutralization of Formula Elements in a CSV File in GitHub repository admidio/admidio prior to 4.2.9.

CVE ID : CVE-2023-3302

Source : security@huntr.dev

Score CVSS : 6.6

Références :
https://github.com/admidio/admidio/commit/c87a7074a1a73c4851263060afd76aa4d5b6415f | source : security@huntr.dev
https://huntr.dev/bounties/5e18619f-8379-464a-aad2-65883bb4e81a | source : security@huntr.dev


Vulnérabilité ID : CVE-2023-3303

Première publication le : 2023-06-23T13:15:10.587

Dernière modification le : 2023-06-23T15:14:22.530

Description :
Improper Access Control in GitHub repository admidio/admidio prior to 4.2.9.

CVE ID : CVE-2023-3303

Source : security@huntr.dev

Score CVSS : 6.4

Références :
https://github.com/admidio/admidio/commit/3d8bafaa4e9b7a314ffdf548622a8c7b38faee8a | source : security@huntr.dev
https://huntr.dev/bounties/65d260cc-55a9-4e71-888d-cb2f66c071af | source : security@huntr.dev


Vulnérabilité ID : CVE-2023-3304

Première publication le : 2023-06-23T13:15:10.663

Dernière modification le : 2023-06-23T15:14:22.530

Description :
Improper Access Control in GitHub repository admidio/admidio prior to 4.2.9.

CVE ID : CVE-2023-3304

Source : security@huntr.dev

Score CVSS : 5.9

Références :
https://github.com/admidio/admidio/commit/3b248b7d5e0e60a00ee2f9a6908d538d62a5837f | source : security@huntr.dev
https://huntr.dev/bounties/721fae61-3c8c-4e4b-8407-64321bc0ed17 | source : security@huntr.dev


Vulnérabilité ID : CVE-2023-23679

Première publication le : 2023-06-23T15:15:09.063

Dernière modification le : 2023-06-23T15:49:09.940

Description :
Authorization Bypass Through User-Controlled Key vulnerability in JS Help Desk js-support-ticket allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects JS Help Desk: from n/a through 2.7.7.

CVE ID : CVE-2023-23679

Source : audit@patchstack.com

Score CVSS : 4.6

Références :
https://patchstack.com/database/vulnerability/js-support-ticket/wordpress-js-help-desk-best-help-desk-support-plugin-plugin-2-7-7-idor-leading-to-ticket-deletion-vulnerability?_s_id=cve | source : audit@patchstack.com


Vulnérabilité ID : CVE-2023-34466

Première publication le : 2023-06-23T16:15:09.393

Dernière modification le : 2023-06-23T17:21:14.907

Description :
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Starting in version 5.0-milestone-1 and prior to versions 14.4.8, 14.10.4, and 15.0-rc-1, tags from pages not viewable to the current user are leaked by the tags API. This information can also be exploited to infer the document reference of non-viewable pages. This vulnerability has been patched in XWiki 14.4.8, 14.10.4, and 15.0-rc-1.

CVE ID : CVE-2023-34466

Source : security-advisories@github.com

Score CVSS : 4.3

Références :
https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-7f2f-pcv3-j2r7 | source : security-advisories@github.com
https://jira.xwiki.org/browse/XWIKI-20002 | source : security-advisories@github.com


Vulnérabilité ID : CVE-2023-35925

Première publication le : 2023-06-23T16:15:09.477

Dernière modification le : 2023-06-23T17:21:14.907

Description :
FastAsyncWorldEdit (FAWE) is designed for efficient world editing. This vulnerability enables the attacker to select a region with the `Infinity` keyword (case-sensitive!) and executes any operation. This has a possibility of bringing the performing server down. This issue has been fixed in version 2.6.3.

CVE ID : CVE-2023-35925

Source : security-advisories@github.com

Score CVSS : 6.2

Références :
https://github.com/IntellectualSites/FastAsyncWorldEdit/pull/2285 | source : security-advisories@github.com
https://github.com/IntellectualSites/FastAsyncWorldEdit/releases/tag/2.6.3 | source : security-advisories@github.com
https://github.com/IntellectualSites/FastAsyncWorldEdit/security/advisories/GHSA-whj9-m24x-qhhp | source : security-advisories@github.com


Vulnérabilité ID : CVE-2023-3391

Première publication le : 2023-06-23T16:15:09.693

Dernière modification le : 2023-06-23T17:21:14.907

Description :
A vulnerability was found in SourceCodester Human Resource Management System 1.0. It has been declared as critical. This vulnerability affects unknown code of the file detailview.php. The manipulation of the argument employeeid leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-232288.

CVE ID : CVE-2023-3391

Source : cna@vuldb.com

Score CVSS : 6.3

Références :
https://github.com/mohdkey/Human-Resource-Management-System/blob/main/Human%20Resource%20Management%20System%20detailview.php%20has%20Sqlinjection.pdf | source : cna@vuldb.com
https://vuldb.com/?ctiid.232288 | source : cna@vuldb.com
https://vuldb.com/?id.232288 | source : cna@vuldb.com


Vulnérabilité(s) LOW [0.1, 3.9]

Vulnérabilité ID : CVE-2023-25500

Première publication le : 2023-06-22T13:15:09.737

Dernière modification le : 2023-06-22T14:49:18.643

Description :
Possible information disclosure in Vaadin 10.0.0 to 10.0.23, 11.0.0 to 14.10.1, 15.0.0 to 22.0.28, 23.0.0 to 23.3.13, 24.0.0 to 24.0.6, 24.1.0.alpha1 to 24.1.0.rc2, resulting in potential information disclosure of class and method names in RPC responses by sending modified requests.

CVE ID : CVE-2023-25500

Source : security@vaadin.com

Score CVSS : 3.5

Références :
https://github.com/vaadin/flow/pull/16935 | source : security@vaadin.com
https://vaadin.com/security/cve-2023-25500 | source : security@vaadin.com


Vulnérabilité ID : CVE-2023-23343

Première publication le : 2023-06-22T22:15:09.110

Dernière modification le : 2023-06-23T13:03:31.027

Description :
A clickjacking vulnerability in the HCL BigFix OSD Bare Metal Server version 311.12 or lower allows attacker to use transparent or opaque layers to trick a user into clicking on a button or link on another page to perform a redirect to an attacker-controlled domain.

CVE ID : CVE-2023-23343

Source : psirt@hcl.com

Score CVSS : 2.4

Références :
https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0105601 | source : psirt@hcl.com


Vulnérabilité ID : CVE-2023-28016

Première publication le : 2023-06-22T23:15:09.343

Dernière modification le : 2023-06-23T13:03:31.027

Description :
Host Header Injection vulnerability in the HCL BigFix OSD Bare Metal Server version 311.12 or lower allows attacker to supply invalid input to cause the OSD Bare Metal Server to perform a redirect to an attacker-controlled domain.

CVE ID : CVE-2023-28016

Source : psirt@hcl.com

Score CVSS : 3.1

Références :
https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0105601 | source : psirt@hcl.com


Vulnérabilité ID : CVE-2023-34110

Première publication le : 2023-06-22T23:15:09.410

Dernière modification le : 2023-06-23T13:03:31.027

Description :
Flask-AppBuilder is an application development framework, built on top of Flask. Prior to version 4.3.2, an authenticated malicious actor with Admin privileges, could by adding a special character on the add, edit User forms trigger a database error, this error is surfaced back to this actor on the UI. On certain database engines this error can include the entire user row including the pbkdf2:sha256 hashed password. This vulnerability has been fixed in version 4.3.2.

CVE ID : CVE-2023-34110

Source : security-advisories@github.com

Score CVSS : 2.7

Références :
https://github.com/dpgaspar/Flask-AppBuilder/commit/ae25ad4c87a9051ebe4a4e8f02aee73232642626 | source : security-advisories@github.com
https://github.com/dpgaspar/Flask-AppBuilder/pull/2045 | source : security-advisories@github.com
https://github.com/dpgaspar/Flask-AppBuilder/releases/tag/v4.3.2 | source : security-advisories@github.com
https://github.com/dpgaspar/Flask-AppBuilder/security/advisories/GHSA-jhpr-j7cq-3jp3 | source : security-advisories@github.com


Vulnérabilité ID : CVE-2023-23344

Première publication le : 2023-06-23T06:15:09.707

Dernière modification le : 2023-06-23T13:03:31.027

Description :
A permission issue in BigFix WebUI Insights site version 14 allows an authenticated, unprivileged operator to access an administrator page.

CVE ID : CVE-2023-23344

Source : psirt@hcl.com

Score CVSS : 3.0

Références :
https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0105705 | source : psirt@hcl.com


Vulnérabilité ID : CVE-2023-32463

Première publication le : 2023-06-23T08:15:09.313

Dernière modification le : 2023-06-23T13:03:31.027

Description :
Dell VxRail, version(s) 8.0.100 and earlier contain a denial-of-service vulnerability in the upgrade functionality. A remote unauthenticated attacker could potentially exploit this vulnerability, leading to degraded performance and system malfunction.

CVE ID : CVE-2023-32463

Source : security_alert@emc.com

Score CVSS : 3.4

Références :
https://www.dell.com/support/kbdoc/en-us/000214659/dsa-2023-200-security-update-for-dell-vxrail-for-multiple-third-party-component-vulnerabilities | source : security_alert@emc.com


Vulnérabilité ID : CVE-2023-32464

Première publication le : 2023-06-23T08:15:09.400

Dernière modification le : 2023-06-23T13:03:31.027

Description :
Dell VxRail, versions prior to 7.0.450, contain an improper certificate validation vulnerability. A high privileged remote attacker may potentially exploit this vulnerability to carry out a man-in-the-middle attack by supplying a crafted certificate and intercepting the victim's traffic to view or modify a victim’s data in transit.

CVE ID : CVE-2023-32464

Source : security_alert@emc.com

Score CVSS : 2.7

Références :
https://www.dell.com/support/kbdoc/en-us/000213011/dsa-2023-071-dell-vxrail-security-update-for-multiple-third-party-component-vulnerabilities-7-0-450 | source : security_alert@emc.com


Vulnérabilité ID : CVE-2023-3381

Première publication le : 2023-06-23T10:15:10.803

Dernière modification le : 2023-06-23T13:03:24.293

Description :
A vulnerability classified as problematic was found in SourceCodester Online School Fees System 1.0. Affected by this vulnerability is an unknown functionality of the file /paysystem/datatable.php of the component GET Parameter Handler. The manipulation of the argument doj leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-232237 was assigned to this vulnerability.

CVE ID : CVE-2023-3381

Source : cna@vuldb.com

Score CVSS : 3.5

Références :
https://github.com/M9KJ-TEAM/CVEReport/blob/main/XSS2.md | source : cna@vuldb.com
https://vuldb.com/?ctiid.232237 | source : cna@vuldb.com
https://vuldb.com/?id.232237 | source : cna@vuldb.com


Vulnérabilité ID : CVE-2023-3382

Première publication le : 2023-06-23T10:15:10.880

Dernière modification le : 2023-06-23T13:03:24.293

Description :
A vulnerability, which was classified as problematic, has been found in SourceCodester Game Result Matrix System 1.0. Affected by this issue is some unknown functionality of the file /dipam/save-delegates.php of the component GET Parameter Handler. The manipulation of the argument del_name leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-232238 is the identifier assigned to this vulnerability.

CVE ID : CVE-2023-3382

Source : cna@vuldb.com

Score CVSS : 3.5

Références :
https://github.com/M9KJ-TEAM/CVEReport/blob/main/XSS3.md | source : cna@vuldb.com
https://vuldb.com/?ctiid.232238 | source : cna@vuldb.com
https://vuldb.com/?id.232238 | source : cna@vuldb.com


Vulnérabilité ID : CVE-2023-28064

Première publication le : 2023-06-23T11:15:09.697

Dernière modification le : 2023-06-23T13:03:18.900

Description :
Dell BIOS contains an Out-of-bounds Write vulnerability. An unauthenticated physical attacker may potentially exploit this vulnerability, leading to denial of service.

CVE ID : CVE-2023-28064

Source : security_alert@emc.com

Score CVSS : 3.5

Références :
https://www.dell.com/support/kbdoc/en-us/000214778/dsa-2023-174-dell-client-bios-security-update-for-an-out-of-bounds-write-vulnerability | source : security_alert@emc.com


About the author
Julien B.

Securitricks

Up-to-Date Cybersecurity Insights & Malware Reports

Securitricks

Great! You’ve successfully signed up.

Welcome back! You've successfully signed in.

You've successfully subscribed to Securitricks.

Success! Check your email for magic link to sign-in.

Success! Your billing info has been updated.

Your billing was not updated.