Latest vulnerabilities [Thursday, December 14, 2023]

Latest vulnerabilities [Thursday, December 14, 2023]
{{titre}}

Last update performed on 12/14/2023 at 11:57:05 PM

(4) CRITICAL VULNERABILITIES [9.0, 10.0]

Source : cert.vde.com

Vulnerability ID : CVE-2023-0757

First published on : 14-12-2023 14:15:42
Last modified on : 14-12-2023 14:49:08

Description :
Incorrect Permission Assignment for Critical Resource vulnerability in PHOENIX CONTACT MULTIPROG, PHOENIX CONTACT ProConOS eCLR (SDK) allows an unauthenticated remote attacker to upload arbitrary malicious code and gain full access on the affected device.

CVE ID : CVE-2023-0757
Source : info@cert.vde.com
CVSS Score : 9.8

References :
https://cert.vde.com/en/advisories/VDE-2023-051/ | source : info@cert.vde.com

Vulnerability : CWE-732


Vulnerability ID : CVE-2023-46141

First published on : 14-12-2023 14:15:42
Last modified on : 14-12-2023 14:49:08

Description :
Incorrect Permission Assignment for Critical Resource vulnerability in multiple products of the PHOENIX CONTACT classic line allow an remote unauthenticated attacker to gain full access of the affected device.

CVE ID : CVE-2023-46141
Source : info@cert.vde.com
CVSS Score : 9.8

References :
https://cert.vde.com/en/advisories/VDE-2023-055/ | source : info@cert.vde.com

Vulnerability : CWE-732


Source : huntr.dev

Vulnerability ID : CVE-2023-6572

First published on : 14-12-2023 14:15:46
Last modified on : 14-12-2023 14:49:08

Description :
Exposure of Sensitive Information to an Unauthorized Actor in GitHub repository gradio-app/gradio prior to main.

CVE ID : CVE-2023-6572
Source : security@huntr.dev
CVSS Score : 9.6

References :
https://github.com/gradio-app/gradio/commit/5b5af1899dd98d63e1f9b48a93601c2db1f56520 | source : security@huntr.dev
https://huntr.com/bounties/21d2ff0c-d43a-4afd-bb4d-049ee8da5b5c | source : security@huntr.dev

Vulnerability : CWE-200


Vulnerability ID : CVE-2023-6569

First published on : 14-12-2023 13:15:55
Last modified on : 14-12-2023 13:51:59

Description :
External Control of File Name or Path in h2oai/h2o-3

CVE ID : CVE-2023-6569
Source : security@huntr.dev
CVSS Score : 9.3

References :
https://huntr.com/bounties/a5d003dc-c23e-4c98-8dcf-35ba9252fa3c | source : security@huntr.dev

Vulnerability : CWE-73


(48) HIGH VULNERABILITIES [7.0, 8.9]

Source : cert.vde.com

Vulnerability ID : CVE-2023-46142

First published on : 14-12-2023 14:15:42
Last modified on : 14-12-2023 14:49:08

Description :
A incorrect permission assignment for critical resource vulnerability in PLCnext products allows an remote attacker with low privileges to gain full access on the affected devices.

CVE ID : CVE-2023-46142
Source : info@cert.vde.com
CVSS Score : 8.8

References :
https://https://cert.vde.com/en/advisories/VDE-2023-056/ | source : info@cert.vde.com

Vulnerability : CWE-732


Vulnerability ID : CVE-2023-46144

First published on : 14-12-2023 14:15:43
Last modified on : 14-12-2023 14:49:08

Description :
A download of code without integrity check vulnerability in PLCnext products allows an remote attacker with low privileges to compromise integrity on the affected engineering station and the connected devices.

CVE ID : CVE-2023-46144
Source : info@cert.vde.com
CVSS Score : 7.7

References :
https://https://cert.vde.com/en/advisories/VDE-2023-056/ | source : info@cert.vde.com

Vulnerability : CWE-494


Vulnerability ID : CVE-2023-46143

First published on : 14-12-2023 14:15:43
Last modified on : 14-12-2023 14:49:08

Description :
Download of Code Without Integrity Check vulnerability in PHOENIX CONTACT classic line PLCs allows an unauthenticated remote attacker to modify some or all applications on a PLC.

CVE ID : CVE-2023-46143
Source : info@cert.vde.com
CVSS Score : 7.5

References :
https://cert.vde.com/en/advisories/VDE-2023-057/ | source : info@cert.vde.com

Vulnerability : CWE-494


Vulnerability ID : CVE-2023-5592

First published on : 14-12-2023 14:15:45
Last modified on : 14-12-2023 14:49:08

Description :
Download of Code Without Integrity Check vulnerability in PHOENIX CONTACT MULTIPROG, PHOENIX CONTACT ProConOS eCLR (SDK) allows an unauthenticated remote attacker to download and execute applications without integrity checks on the device which may result in a complete loss of integrity.

CVE ID : CVE-2023-5592
Source : info@cert.vde.com
CVSS Score : 7.5

References :
https://cert.vde.com/en/advisories/VDE-2023-054/ | source : info@cert.vde.com

Vulnerability : CWE-494


Source : emc.com

Vulnerability ID : CVE-2023-44286

First published on : 14-12-2023 16:15:48
Last modified on : 14-12-2023 17:17:58

Description :
Dell PowerProtect DD , versions prior to 7.13.0.10, LTS 7.7.5.25, LTS 7.10.1.15, 6.2.1.110 contain a DOM-based Cross-Site Scripting vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability, leading to the injection of malicious HTML or JavaScript code to a victim user's DOM environment in the browser. . Exploitation may lead to information disclosure, session theft, or client-side request forgery.

CVE ID : CVE-2023-44286
Source : security_alert@emc.com
CVSS Score : 8.8

References :
https://www.dell.com/support/kbdoc/en-us/000220264/dsa-2023-412-dell-technologies-powerprotect-security-update-for-multiple-security-vulnerabilities | source : security_alert@emc.com

Vulnerability : CWE-79


Vulnerability ID : CVE-2023-48668

First published on : 14-12-2023 16:15:50
Last modified on : 14-12-2023 17:17:54

Description :
Dell PowerProtect DD, versions prior to 7.13.0.10, LTS 7.7.5.25, LTS 7.10.1.15, 6.2.1.110 on DDMC contain an OS command injection vulnerability in an admin operation. A local high privileged attacker could potentially exploit this vulnerability, leading to the execution of arbitrary OS commands on the managed system application's underlying OS with the privileges of the vulnerable application. Exploitation may lead to a system take over by an attacker on a managed system of DDMC.

CVE ID : CVE-2023-48668
Source : security_alert@emc.com
CVSS Score : 8.2

References :
https://www.dell.com/support/kbdoc/en-us/000220264/dsa-2023-412-dell-technologies-powerprotect-security-update-for-multiple-security-vulnerabilities | source : security_alert@emc.com

Vulnerability : CWE-78


Vulnerability ID : CVE-2023-44277

First published on : 14-12-2023 15:15:08
Last modified on : 14-12-2023 15:20:34

Description :
Dell PowerProtect DD, versions prior to 7.13.0.10, LTS 7.7.5.25, LTS 7.10.1.15, 6.2.1.110 contain an OS command injection vulnerability in the CLI. A local low privileged attacker could potentially exploit this vulnerability, leading to the execution of arbitrary OS commands on the application's underlying OS, with the privileges of the vulnerable application. Exploitation may lead to a system take over by an attacker.

CVE ID : CVE-2023-44277
Source : security_alert@emc.com
CVSS Score : 7.8

References :
https://www.dell.com/support/kbdoc/en-us/000220264/dsa-2023-412-dell-technologies-powerprotect-security-update-for-multiple-security-vulnerabilities | source : security_alert@emc.com

Vulnerability : CWE-78


Vulnerability ID : CVE-2023-44285

First published on : 14-12-2023 16:15:47
Last modified on : 14-12-2023 17:17:58

Description :
Dell PowerProtect DD, versions prior to 7.13.0.10, LTS 7.7.5.25, LTS 7.10.1.15, 6.2.1.110 contain an improper access control vulnerability. A local malicious user with low privileges could potentially exploit this vulnerability leading to escalation of privilege.

CVE ID : CVE-2023-44285
Source : security_alert@emc.com
CVSS Score : 7.8

References :
https://www.dell.com/support/kbdoc/en-us/000220264/dsa-2023-412-dell-technologies-powerprotect-security-update-for-multiple-security-vulnerabilities | source : security_alert@emc.com

Vulnerability : CWE-1220


Vulnerability ID : CVE-2023-48660

First published on : 14-12-2023 16:15:48
Last modified on : 14-12-2023 17:17:58

Description :
Dell vApp Manger, versions prior to 9.2.4.x contain an arbitrary file read vulnerability. A remote attacker could potentially exploit this vulnerability to read arbitrary files from the target system.

CVE ID : CVE-2023-48660
Source : security_alert@emc.com
CVSS Score : 7.5

References :
https://www.dell.com/support/kbdoc/en-us/000220427/dsa-2023-443-dell-powermaxos-5978-dell-unisphere-360-dell-unisphere-for-powermax-dell-unisphere-for-powermax-virtual-appliance-dell-solutions-enabler-virtual-appliance-and-dell-powermax-eem-security-update-for-multiple-vulnerabilities | source : security_alert@emc.com

Vulnerability : CWE-22


Vulnerability ID : CVE-2023-48671

First published on : 14-12-2023 17:15:07
Last modified on : 14-12-2023 17:17:50

Description :
Dell vApp Manager, versions prior to 9.2.4.x contain an information disclosure vulnerability. A remote attacker could potentially exploit this vulnerability leading to obtain sensitive information that may aid in further attacks.

CVE ID : CVE-2023-48671
Source : security_alert@emc.com
CVSS Score : 7.5

References :
https://www.dell.com/support/kbdoc/en-us/000220427/dsa-2023-443-dell-powermaxos-5978-dell-unisphere-360-dell-unisphere-for-powermax-dell-unisphere-for-powermax-virtual-appliance-dell-solutions-enabler-virtual-appliance-and-dell-powermax-eem-security-update-for-multiple-vulnerabilities | source : security_alert@emc.com

Vulnerability : CWE-200


Vulnerability ID : CVE-2023-48662

First published on : 14-12-2023 16:15:49
Last modified on : 14-12-2023 17:17:58

Description :
Dell vApp Manager, versions prior to 9.2.4.x contain a command injection vulnerability. A remote malicious user with high privileges could potentially exploit this vulnerability leading to the execution of arbitrary OS commands on the affected system.

CVE ID : CVE-2023-48662
Source : security_alert@emc.com
CVSS Score : 7.2

References :
https://www.dell.com/support/kbdoc/en-us/000220427/dsa-2023-443-dell-powermaxos-5978-dell-unisphere-360-dell-unisphere-for-powermax-dell-unisphere-for-powermax-virtual-appliance-dell-solutions-enabler-virtual-appliance-and-dell-powermax-eem-security-update-for-multiple-vulnerabilities | source : security_alert@emc.com

Vulnerability : CWE-78


Vulnerability ID : CVE-2023-48663

First published on : 14-12-2023 16:15:49
Last modified on : 14-12-2023 17:17:54

Description :
Dell vApp Manager, versions prior to 9.2.4.x contain a command injection vulnerability. A remote malicious user with high privileges could potentially exploit this vulnerability leading to the execution of arbitrary OS commands on the affected system.

CVE ID : CVE-2023-48663
Source : security_alert@emc.com
CVSS Score : 7.2

References :
https://www.dell.com/support/kbdoc/en-us/000220427/dsa-2023-443-dell-powermaxos-5978-dell-unisphere-360-dell-unisphere-for-powermax-dell-unisphere-for-powermax-virtual-appliance-dell-solutions-enabler-virtual-appliance-and-dell-powermax-eem-security-update-for-multiple-vulnerabilities | source : security_alert@emc.com

Vulnerability : CWE-78


Vulnerability ID : CVE-2023-48664

First published on : 14-12-2023 16:15:49
Last modified on : 14-12-2023 17:17:54

Description :
Dell vApp Manager, versions prior to 9.2.4.x contain a command injection vulnerability. A remote malicious user with high privileges could potentially exploit this vulnerability leading to the execution of arbitrary OS commands on the affected system.

CVE ID : CVE-2023-48664
Source : security_alert@emc.com
CVSS Score : 7.2

References :
https://www.dell.com/support/kbdoc/en-us/000220427/dsa-2023-443-dell-powermaxos-5978-dell-unisphere-360-dell-unisphere-for-powermax-dell-unisphere-for-powermax-virtual-appliance-dell-solutions-enabler-virtual-appliance-and-dell-powermax-eem-security-update-for-multiple-vulnerabilities | source : security_alert@emc.com

Vulnerability : CWE-78


Vulnerability ID : CVE-2023-48665

First published on : 14-12-2023 16:15:49
Last modified on : 14-12-2023 17:17:54

Description :
Dell vApp Manager, versions prior to 9.2.4.x contain a command injection vulnerability. A remote malicious user with high privileges could potentially exploit this vulnerability leading to the execution of arbitrary OS commands on the affected system.

CVE ID : CVE-2023-48665
Source : security_alert@emc.com
CVSS Score : 7.2

References :
https://www.dell.com/support/kbdoc/en-us/000220427/dsa-2023-443-dell-powermaxos-5978-dell-unisphere-360-dell-unisphere-for-powermax-dell-unisphere-for-powermax-virtual-appliance-dell-solutions-enabler-virtual-appliance-and-dell-powermax-eem-security-update-for-multiple-vulnerabilities | source : security_alert@emc.com

Vulnerability : CWE-78


Vulnerability ID : CVE-2023-48667

First published on : 14-12-2023 16:15:50
Last modified on : 14-12-2023 17:17:54

Description :
Dell PowerProtect DD, versions prior to 7.13.0.10, LTS 7.7.5.25, LTS 7.10.1.15, 6.2.1.110 contain an OS command injection vulnerability in administrator CLI. A remote high privileged attacker could potentially exploit this vulnerability, leading to the execution of arbitrary OS commands on the application's underlying OS to bypass security restriction. Exploitation may lead to a system take over by an attacker.

CVE ID : CVE-2023-48667
Source : security_alert@emc.com
CVSS Score : 7.2

References :
https://www.dell.com/support/kbdoc/en-us/000220264/dsa-2023-412-dell-technologies-powerprotect-security-update-for-multiple-security-vulnerabilities | source : security_alert@emc.com

Vulnerability : CWE-78


Source : github.com

Vulnerability ID : CVE-2023-42799

First published on : 14-12-2023 17:15:07
Last modified on : 14-12-2023 17:17:50

Description :
Moonlight-common-c contains the core GameStream client code shared between Moonlight clients. Moonlight-common-c is vulnerable to buffer overflow starting in commit 50c0a51b10ecc5b3415ea78c21d96d679e2288f9 due to unmitigated usage of unsafe C functions and improper bounds checking. A malicious game streaming server could exploit a buffer overflow vulnerability to crash a moonlight client, or achieve remote code execution (RCE) on the client (with insufficient exploit mitigations or if mitigations can be bypassed). The bug was addressed in commit 02b7742f4d19631024bd766bd2bb76715780004e.

CVE ID : CVE-2023-42799
Source : security-advisories@github.com
CVSS Score : 8.8

References :
https://github.com/moonlight-stream/moonlight-common-c/commit/02b7742f4d19631024bd766bd2bb76715780004e | source : security-advisories@github.com
https://github.com/moonlight-stream/moonlight-common-c/commit/50c0a51b10ecc5b3415ea78c21d96d679e2288f9 | source : security-advisories@github.com
https://github.com/moonlight-stream/moonlight-common-c/security/advisories/GHSA-r8cf-45f4-vf8m | source : security-advisories@github.com

Vulnerability : CWE-120


Vulnerability ID : CVE-2023-42800

First published on : 14-12-2023 17:15:07
Last modified on : 14-12-2023 17:17:50

Description :
Moonlight-common-c contains the core GameStream client code shared between Moonlight clients. Moonlight-common-c is vulnerable to buffer overflow starting in commit 50c0a51b10ecc5b3415ea78c21d96d679e2288f9 due to unmitigated usage of unsafe C functions and improper bounds checking. A malicious game streaming server could exploit a buffer overflow vulnerability to crash a moonlight client, or achieve remote code execution (RCE) on the client (with insufficient exploit mitigations or if mitigations can be bypassed). The bug was addressed in commit 24750d4b748fefa03d09fcfd6d45056faca354e0.

CVE ID : CVE-2023-42800
Source : security-advisories@github.com
CVSS Score : 8.8

References :
https://github.com/moonlight-stream/moonlight-common-c/blob/2bb026c763fc18807d7e4a93f918054c488f84e1/src/RtspConnection.c#L796 | source : security-advisories@github.com
https://github.com/moonlight-stream/moonlight-common-c/commit/24750d4b748fefa03d09fcfd6d45056faca354e0 | source : security-advisories@github.com
https://github.com/moonlight-stream/moonlight-common-c/commit/50c0a51b10ecc5b3415ea78c21d96d679e2288f9 | source : security-advisories@github.com
https://github.com/moonlight-stream/moonlight-common-c/security/advisories/GHSA-4927-23jw-rq62 | source : security-advisories@github.com

Vulnerability : CWE-120


Vulnerability ID : CVE-2023-50269

First published on : 14-12-2023 18:15:45
Last modified on : 14-12-2023 19:26:01

Description :
Squid is a caching proxy for the Web. Due to an Uncontrolled Recursion bug in versions 2.6 through 2.7.STABLE9, versions 3.1 through 5.9, and versions 6.0.1 through 6.5, Squid may be vulnerable to a Denial of Service attack against HTTP Request parsing. This problem allows a remote client to perform Denial of Service attack by sending a large X-Forwarded-For header when the follow_x_forwarded_for feature is configured. This bug is fixed by Squid version 6.6. In addition, patches addressing this problem for the stable releases can be found in Squid's patch archives.

CVE ID : CVE-2023-50269
Source : security-advisories@github.com
CVSS Score : 8.6

References :
http://www.squid-cache.org/Versions/v5/SQUID-2023_10.patch | source : security-advisories@github.com
http://www.squid-cache.org/Versions/v6/SQUID-2023_10.patch | source : security-advisories@github.com
https://github.com/squid-cache/squid/security/advisories/GHSA-wgq4-4cfg-c4x3 | source : security-advisories@github.com

Vulnerability : CWE-674


Vulnerability ID : CVE-2023-42801

First published on : 14-12-2023 17:15:07
Last modified on : 14-12-2023 17:17:50

Description :
Moonlight-common-c contains the core GameStream client code shared between Moonlight clients. Moonlight-common-c is vulnerable to buffer overflow starting in commit f57bd745b4cbed577ea654fad4701bea4d38b44c. A malicious game streaming server could exploit a buffer overflow vulnerability to crash a moonlight client. Achieving RCE is possible but unlikely, due to stack canaries in use by modern compiler toolchains. The published binaries for official clients Qt, Android, iOS/tvOS, and Embedded are built with stack canaries, but some unofficial clients may not use stack canaries. This vulnerability takes place after the pairing process, so it requires the client to be tricked into pairing to a malicious host. It is not possible to perform using a man-in-the-middle due to public key pinning that takes place during the pairing process. The bug was addressed in commit b2497a3918a6d79808d9fd0c04734786e70d5954.

CVE ID : CVE-2023-42801
Source : security-advisories@github.com
CVSS Score : 7.6

References :
https://github.com/moonlight-stream/moonlight-common-c/blob/c1744de06938b5a5c8897a705be1bc6508dc7580/src/Misc.c#L82-L88 | source : security-advisories@github.com
https://github.com/moonlight-stream/moonlight-common-c/commit/b2497a3918a6d79808d9fd0c04734786e70d5954 | source : security-advisories@github.com
https://github.com/moonlight-stream/moonlight-common-c/commit/f57bd745b4cbed577ea654fad4701bea4d38b44c | source : security-advisories@github.com
https://github.com/moonlight-stream/moonlight-common-c/security/advisories/GHSA-f3h8-j898-5h5v | source : security-advisories@github.com

Vulnerability : CWE-120


Vulnerability ID : CVE-2023-37457

First published on : 14-12-2023 20:15:52
Last modified on : 14-12-2023 22:44:49

Description :
Asterisk is an open source private branch exchange and telephony toolkit. In Asterisk versions 18.20.0 and prior, 20.5.0 and prior, and 21.0.0; as well as ceritifed-asterisk 18.9-cert5 and prior, the 'update' functionality of the PJSIP_HEADER dialplan function can exceed the available buffer space for storing the new value of a header. By doing so this can overwrite memory or cause a crash. This is not externally exploitable, unless dialplan is explicitly written to update a header based on data from an outside source. If the 'update' functionality is not used the vulnerability does not occur. A patch is available at commit a1ca0268254374b515fa5992f01340f7717113fa.

CVE ID : CVE-2023-37457
Source : security-advisories@github.com
CVSS Score : 7.5

References :
https://github.com/asterisk/asterisk/commit/a1ca0268254374b515fa5992f01340f7717113fa | source : security-advisories@github.com
https://github.com/asterisk/asterisk/security/advisories/GHSA-98rc-4j27-74hh | source : security-advisories@github.com

Vulnerability : CWE-120


Vulnerability ID : CVE-2023-49786

First published on : 14-12-2023 20:15:52
Last modified on : 14-12-2023 22:44:49

Description :
Asterisk is an open source private branch exchange and telephony toolkit. In Asterisk prior to versions 18.20.1, 20.5.1, and 21.0.1; as well as certified-asterisk prior to 18.9-cert6; Asterisk is susceptible to a DoS due to a race condition in the hello handshake phase of the DTLS protocol when handling DTLS-SRTP for media setup. This attack can be done continuously, thus denying new DTLS-SRTP encrypted calls during the attack. Abuse of this vulnerability may lead to a massive Denial of Service on vulnerable Asterisk servers for calls that rely on DTLS-SRTP. Commit d7d7764cb07c8a1872804321302ef93bf62cba05 contains a fix, which is part of versions 18.20.1, 20.5.1, 21.0.1, amd 18.9-cert6.

CVE ID : CVE-2023-49786
Source : security-advisories@github.com
CVSS Score : 7.5

References :
https://github.com/EnableSecurity/advisories/tree/master/ES2023-01-asterisk-dtls-hello-race | source : security-advisories@github.com
https://github.com/asterisk/asterisk/commit/d7d7764cb07c8a1872804321302ef93bf62cba05 | source : security-advisories@github.com
https://github.com/asterisk/asterisk/security/advisories/GHSA-hxj9-xwr8-w8pq | source : security-advisories@github.com

Vulnerability : CWE-703


Source : zte.com.cn

Vulnerability ID : CVE-2023-25643

First published on : 14-12-2023 08:15:38
Last modified on : 14-12-2023 13:52:06

Description :
There is a command injection vulnerability in some ZTE mobile internet products. Due to insufficient input validation of multiple network parameters, an authenticated attacker could use the vulnerability to execute arbitrary commands.

CVE ID : CVE-2023-25643
Source : psirt@zte.com.cn
CVSS Score : 8.4

References :
https://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1032504 | source : psirt@zte.com.cn

Vulnerability : CWE-77


Source : se.com

Vulnerability ID : CVE-2023-5629

First published on : 14-12-2023 05:15:12
Last modified on : 14-12-2023 13:52:06

Description :
A CWE-601:URL Redirection to Untrusted Site (‘Open Redirect’) vulnerability exists that could cause disclosure of information through phishing attempts over HTTP.

CVE ID : CVE-2023-5629
Source : cybersecurity@se.com
CVSS Score : 8.2

References :
https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2023-346-01&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2023-346-01.pdf | source : cybersecurity@se.com

Vulnerability : CWE-601


Source : huntr.dev

Vulnerability ID : CVE-2023-6570

First published on : 14-12-2023 13:15:55
Last modified on : 14-12-2023 13:51:59

Description :
Server-Side Request Forgery (SSRF) in kubeflow/kubeflow

CVE ID : CVE-2023-6570
Source : security@huntr.dev
CVSS Score : 7.7

References :
https://huntr.com/bounties/82d6e853-013b-4029-a23f-8b50ec56602a | source : security@huntr.dev

Vulnerability : CWE-918


Source : redhat.com

Vulnerability ID : CVE-2023-6563

First published on : 14-12-2023 18:15:45
Last modified on : 14-12-2023 22:15:44

Description :
An unconstrained memory consumption vulnerability was discovered in Keycloak. It can be triggered in environments which have millions of offline tokens (> 500,000 users with each having at least 2 saved sessions). If an attacker creates two or more user sessions and then open the "consents" tab of the admin User Interface, the UI attempts to load a huge number of offline client sessions leading to excessive memory and CPU consumption which could potentially crash the entire system.

CVE ID : CVE-2023-6563
Source : secalert@redhat.com
CVSS Score : 7.7

References :
https://access.redhat.com/errata/RHSA-2023:7854 | source : secalert@redhat.com
https://access.redhat.com/errata/RHSA-2023:7855 | source : secalert@redhat.com
https://access.redhat.com/errata/RHSA-2023:7856 | source : secalert@redhat.com
https://access.redhat.com/errata/RHSA-2023:7857 | source : secalert@redhat.com
https://access.redhat.com/errata/RHSA-2023:7858 | source : secalert@redhat.com
https://access.redhat.com/security/cve/CVE-2023-6563 | source : secalert@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=2253308 | source : secalert@redhat.com
https://github.com/keycloak/keycloak/issues/13340 | source : secalert@redhat.com

Vulnerability : CWE-770


Source : progress.com

Vulnerability ID : CVE-2023-6364

First published on : 14-12-2023 16:15:52
Last modified on : 14-12-2023 17:17:54

Description :
In WhatsUp Gold versions released before 2023.1, a stored cross-site scripting (XSS) vulnerability has been identified. It is possible for an attacker to craft a XSS payload and store that value within a dashboard component. If a WhatsUp Gold user interacts with the crafted payload, the attacker would be able to execute malicious JavaScript within the context of the victims browser.

CVE ID : CVE-2023-6364
Source : security@progress.com
CVSS Score : 7.6

References :
https://community.progress.com/s/article/WhatsUp-Gold-Security-Bulletin-December-2023 | source : security@progress.com
https://www.progress.com/network-monitoring | source : security@progress.com

Vulnerability : CWE-79


Vulnerability ID : CVE-2023-6365

First published on : 14-12-2023 16:15:53
Last modified on : 14-12-2023 17:17:50

Description :
In WhatsUp Gold versions released before 2023.1, a stored cross-site scripting (XSS) vulnerability has been identified. It is possible for an attacker to craft a XSS payload and store that value within a device group. If a WhatsUp Gold user interacts with the crafted payload, the attacker would be able to execute malicious JavaScript within the context of the victims browser.

CVE ID : CVE-2023-6365
Source : security@progress.com
CVSS Score : 7.6

References :
https://community.progress.com/s/article/WhatsUp-Gold-Security-Bulletin-December-2023 | source : security@progress.com
https://www.progress.com/network-monitoring | source : security@progress.com

Vulnerability : CWE-79


Vulnerability ID : CVE-2023-6366

First published on : 14-12-2023 16:15:53
Last modified on : 14-12-2023 17:17:50

Description :
In WhatsUp Gold versions released before 2023.1, a stored cross-site scripting (XSS) vulnerability has been identified. It is possible for an attacker to craft a XSS payload and store that value within Alert Center. If a WhatsUp Gold user interacts with the crafted payload, the attacker would be able to execute malicious JavaScript within the context of the victims browser.

CVE ID : CVE-2023-6366
Source : security@progress.com
CVSS Score : 7.6

References :
https://community.progress.com/s/article/WhatsUp-Gold-Security-Bulletin-December-2023 | source : security@progress.com
https://www.progress.com/network-monitoring | source : security@progress.com

Vulnerability : CWE-79


Vulnerability ID : CVE-2023-6367

First published on : 14-12-2023 16:15:53
Last modified on : 14-12-2023 17:17:50

Description :
In WhatsUp Gold versions released before 2023.1, a stored cross-site scripting (XSS) vulnerability has been identified. It is possible for an attacker to craft a XSS payload and store that value within Roles. If a WhatsUp Gold user interacts with the crafted payload, the attacker would be able to execute malicious JavaScript within the context of the victims browser.

CVE ID : CVE-2023-6367
Source : security@progress.com
CVSS Score : 7.6

References :
https://community.progress.com/s/article/WhatsUp-Gold-Security-Bulletin-December-2023 | source : security@progress.com
https://www.progress.com/network-monitoring | source : security@progress.com

Vulnerability : CWE-79


Vulnerability ID : CVE-2023-6595

First published on : 14-12-2023 16:15:54
Last modified on : 14-12-2023 17:17:50

Description :
In WhatsUp Gold versions released before 2023.1, an API endpoint was found to be missing an authentication mechanism. It is possible for an unauthenticated attacker to enumerate ancillary credential information stored within WhatsUp Gold.

CVE ID : CVE-2023-6595
Source : security@progress.com
CVSS Score : 7.5

References :
https://community.progress.com/s/article/WhatsUp-Gold-Security-Bulletin-December-2023 | source : security@progress.com
https://www.progress.com/network-monitoring | source : security@progress.com

Vulnerability : CWE-862


Source : us.ibm.com

Vulnerability ID : CVE-2023-43042

First published on : 14-12-2023 01:15:07
Last modified on : 14-12-2023 13:52:16

Description :
IBM SAN Volume Controller, IBM Storwize, IBM FlashSystem and IBM Storage Virtualize 8.3 products use default passwords for a privileged user. IBM X-Force ID: 266874.

CVE ID : CVE-2023-43042
Source : psirt@us.ibm.com
CVSS Score : 7.5

References :
https://exchange.xforce.ibmcloud.com/vulnerabilities/266874 | source : psirt@us.ibm.com
https://https://www.ibm.com/support/pages/node/7064976 | source : psirt@us.ibm.com

Vulnerability : CWE-1393


Vulnerability ID : CVE-2023-45182

First published on : 14-12-2023 14:15:42
Last modified on : 14-12-2023 14:49:08

Description :
IBM i Access Client Solutions 1.1.2 through 1.1.4 and 1.1.4.3 through 1.1.9.3 is vulnerable to having its key for an encrypted password decoded. By somehow gaining access to the encrypted password, a local attacker could exploit this vulnerability to obtain the password to other systems. IBM X-Force ID: 268265.

CVE ID : CVE-2023-45182
Source : psirt@us.ibm.com
CVSS Score : 7.4

References :
https://exchange.xforce.ibmcloud.com/vulnerabilities/268265 | source : psirt@us.ibm.com
https://www.ibm.com/support/pages/node/7091942 | source : psirt@us.ibm.com

Vulnerability : CWE-922


Vulnerability ID : CVE-2023-45185

First published on : 14-12-2023 14:15:42
Last modified on : 14-12-2023 14:49:08

Description :
IBM i Access Client Solutions 1.1.2 through 1.1.4 and 1.1.4.3 through 1.1.9.3 could allow an attacker to execute remote code. Due to improper authority checks the attacker could perform operations on the PC under the user's authority. IBM X-Force ID: 268273.

CVE ID : CVE-2023-45185
Source : psirt@us.ibm.com
CVSS Score : 7.4

References :
https://exchange.xforce.ibmcloud.com/vulnerabilities/268273 | source : psirt@us.ibm.com
https://www.ibm.com/support/pages/node/7091942 | source : psirt@us.ibm.com

Vulnerability : CWE-502


Source : jci.com

Vulnerability ID : CVE-2023-0248

First published on : 14-12-2023 21:15:07
Last modified on : 14-12-2023 22:44:49

Description :
An attacker with physical access to the Kantech Gen1 ioSmart card reader with firmware version prior to 1.7.2 in certain circumstances can recover the reader's communication memory between the card and reader.

CVE ID : CVE-2023-0248
Source : productsecurity@jci.com
CVSS Score : 7.5

References :
https://www.cisa.gov/news-events/ics-advisories/icsa-23-348-02 | source : productsecurity@jci.com
https://www.johnsoncontrols.com/cyber-solutions/security-advisories | source : productsecurity@jci.com

Vulnerability : CWE-200
Vulnerability : CWE-401


Source : hackerone.com

Vulnerability ID : CVE-2023-41719

First published on : 14-12-2023 02:15:12
Last modified on : 14-12-2023 13:52:16

Description :
A vulnerability exists on all versions of Ivanti Connect Secure below 22.6R2 where an attacker impersonating an administrator may craft a specific web request which may lead to remote code execution.

CVE ID : CVE-2023-41719
Source : support@hackerone.com
CVSS Score : 7.2

References :
https://forums.ivanti.com/s/article/Security-patch-release-Ivanti-Connect-Secure-22-6R2-and-22-6R2-1?language=en_US | source : support@hackerone.com


Vulnerability ID : CVE-2023-41720

First published on : 14-12-2023 02:15:12
Last modified on : 14-12-2023 13:52:06

Description :
A vulnerability exists on all versions of Ivanti Connect Secure below 22.6R2 where an attacker with a foothold on an Ivanti Connect Secure (ICS) appliance can escalate their privileges by exploiting a vulnerable installed application. This vulnerability allows the attacker to gain elevated execution privileges on the affected system.

CVE ID : CVE-2023-41720
Source : support@hackerone.com
CVSS Score : 7.0

References :
https://forums.ivanti.com/s/article/Security-patch-release-Ivanti-Connect-Secure-22-6R2-and-22-6R2-1?language=en_US | source : support@hackerone.com


Source : patchstack.com

Vulnerability ID : CVE-2022-45365

First published on : 14-12-2023 15:15:07
Last modified on : 14-12-2023 15:20:34

Description :
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Aleksandar Uroševi? Stock Ticker allows Reflected XSS.This issue affects Stock Ticker: from n/a through 3.23.2.

CVE ID : CVE-2022-45365
Source : audit@patchstack.com
CVSS Score : 7.1

References :
https://patchstack.com/database/vulnerability/stock-ticker/wordpress-stock-ticker-plugin-3-23-2-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-79


Vulnerability ID : CVE-2023-49739

First published on : 14-12-2023 15:15:08
Last modified on : 14-12-2023 15:20:34

Description :
[PROBLEMTYPE] in [COMPONENT] in [VENDOR] [PRODUCT] [VERSION] on [PLATFORMS] allows [ATTACKER] to [IMPACT] via [VECTOR]

CVE ID : CVE-2023-49739
Source : audit@patchstack.com
CVSS Score : 7.1

References :
https://patchstack.com/database/vulnerability/powerpack-elements/wordpress-powerpack-pro-for-elementor-plugin-2-9-23-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-79


Vulnerability ID : CVE-2023-49740

First published on : 14-12-2023 15:15:08
Last modified on : 14-12-2023 15:20:34

Description :
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Seraphinite Solutions Seraphinite Accelerator allows Reflected XSS.This issue affects Seraphinite Accelerator: from n/a through 2.20.28.

CVE ID : CVE-2023-49740
Source : audit@patchstack.com
CVSS Score : 7.1

References :
https://patchstack.com/database/vulnerability/seraphinite-accelerator/wordpress-seraphinite-accelerator-plugin-2-20-28-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-79


Vulnerability ID : CVE-2023-49827

First published on : 14-12-2023 15:15:09
Last modified on : 14-12-2023 15:20:34

Description :
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in PenciDesign Soledad – Multipurpose, Newspaper, Blog & WooCommerce WordPress Theme allows Reflected XSS.This issue affects Soledad – Multipurpose, Newspaper, Blog & WooCommerce WordPress Theme: from n/a through 8.4.1.

CVE ID : CVE-2023-49827
Source : audit@patchstack.com
CVSS Score : 7.1

References :
https://patchstack.com/database/vulnerability/soledad/wordpress-soledad-theme-8-4-1-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-79


Vulnerability ID : CVE-2023-49171

First published on : 14-12-2023 16:15:50
Last modified on : 14-12-2023 17:17:54

Description :
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in TheInnovs Innovs HR – Complete Human Resource Management System for Your Business allows Reflected XSS.This issue affects Innovs HR – Complete Human Resource Management System for Your Business: from n/a through 1.0.3.4.

CVE ID : CVE-2023-49171
Source : audit@patchstack.com
CVSS Score : 7.1

References :
https://patchstack.com/database/vulnerability/innovs-hr-manager/wordpress-innovs-hr-plugin-1-0-3-4-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-79


Vulnerability ID : CVE-2023-49172

First published on : 14-12-2023 16:15:50
Last modified on : 14-12-2023 17:17:54

Description :
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in BrainCert BrainCert – HTML5 Virtual Classroom allows Reflected XSS.This issue affects BrainCert – HTML5 Virtual Classroom: from n/a through 1.30.

CVE ID : CVE-2023-49172
Source : audit@patchstack.com
CVSS Score : 7.1

References :
https://patchstack.com/database/vulnerability/html5-virtual-classroom/wordpress-braincert-html5-virtual-classroom-plugin-1-30-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-79


Vulnerability ID : CVE-2023-49766

First published on : 14-12-2023 16:15:51
Last modified on : 14-12-2023 17:17:54

Description :
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Themefic Ultimate Addons for Contact Form 7 allows Stored XSS.This issue affects Ultimate Addons for Contact Form 7: from n/a through 3.2.0.

CVE ID : CVE-2023-49766
Source : audit@patchstack.com
CVSS Score : 7.1

References :
https://patchstack.com/database/vulnerability/ultimate-addons-for-contact-form-7/wordpress-ultimate-addons-for-contact-form-7-plugin-3-2-0-unauthenticated-cross-site-scripting-xss-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-79


Vulnerability ID : CVE-2023-49771

First published on : 14-12-2023 16:15:51
Last modified on : 14-12-2023 17:17:54

Description :
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Peter Raschendorfer Smart External Link Click Monitor [Link Log] allows Reflected XSS.This issue affects Smart External Link Click Monitor [Link Log]: from n/a through 5.0.2.

CVE ID : CVE-2023-49771
Source : audit@patchstack.com
CVSS Score : 7.1

References :
https://patchstack.com/database/vulnerability/link-log/wordpress-smart-external-link-click-monitor-link-log-plugin-5-0-2-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-79


Vulnerability ID : CVE-2023-49813

First published on : 14-12-2023 16:15:52
Last modified on : 14-12-2023 17:17:54

Description :
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in J.N. Breetvelt a.K.A. OpaJaap WP Photo Album Plus allows Stored XSS.This issue affects WP Photo Album Plus: from n/a through 8.5.02.005.

CVE ID : CVE-2023-49813
Source : audit@patchstack.com
CVSS Score : 7.1

References :
https://patchstack.com/database/vulnerability/wp-photo-album-plus/wordpress-wp-photo-album-plus-plugin-8-5-02-005-cross-site-scripting-xss-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-79


Vulnerability ID : CVE-2023-48756

First published on : 14-12-2023 17:15:08
Last modified on : 14-12-2023 17:17:50

Description :
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Crocoblock JetBlocks For Elementor allows Reflected XSS.This issue affects JetBlocks For Elementor: from n/a through 1.3.8.

CVE ID : CVE-2023-48756
Source : audit@patchstack.com
CVSS Score : 7.1

References :
https://patchstack.com/database/vulnerability/jet-blocks/wordpress-jetblocks-for-elementor-plugin-1-3-8-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-79


Vulnerability ID : CVE-2023-48767

First published on : 14-12-2023 17:15:08
Last modified on : 14-12-2023 17:17:50

Description :
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Raghu Goriya MyTube PlayList allows Reflected XSS.This issue affects MyTube PlayList: from n/a through 2.0.3.

CVE ID : CVE-2023-48767
Source : audit@patchstack.com
CVSS Score : 7.1

References :
https://patchstack.com/database/vulnerability/mytube/wordpress-mytube-playlist-plugin-2-0-3-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-79


Vulnerability ID : CVE-2023-48771

First published on : 14-12-2023 17:15:08
Last modified on : 14-12-2023 17:17:50

Description :
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Bruno "Aesqe" Babic File Gallery allows Reflected XSS.This issue affects File Gallery: from n/a through 1.8.5.4.

CVE ID : CVE-2023-48771
Source : audit@patchstack.com
CVSS Score : 7.1

References :
https://patchstack.com/database/vulnerability/file-gallery/wordpress-file-gallery-plugin-1-8-5-4-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-79


(56) MEDIUM VULNERABILITIES [4.0, 6.9]

Source : emc.com

Vulnerability ID : CVE-2023-44278

First published on : 14-12-2023 16:15:45
Last modified on : 14-12-2023 17:17:58

Description :
Dell PowerProtect DD , versions prior to 7.13.0.10, LTS 7.7.5.25, LTS 7.10.1.15, 6.2.1.110 contain a path traversal vulnerability. A local high privileged attacker could potentially exploit this vulnerability, to gain unauthorized read and write access to the OS files stored on the server filesystem, with the privileges of the running application.

CVE ID : CVE-2023-44278
Source : security_alert@emc.com
CVSS Score : 6.7

References :
https://www.dell.com/support/kbdoc/en-us/000220264/dsa-2023-412-dell-technologies-powerprotect-security-update-for-multiple-security-vulnerabilities | source : security_alert@emc.com

Vulnerability : CWE-22


Vulnerability ID : CVE-2023-44279

First published on : 14-12-2023 16:15:46
Last modified on : 14-12-2023 17:17:58

Description :
Dell PowerProtect DD , versions prior to 7.13.0.10, LTS 7.7.5.25, LTS 7.10.1.15, 6.2.1.110 contain an OS command injection vulnerability in administrator CLI. A local high privileged attacker could potentially exploit this vulnerability, to bypass security restrictions. Exploitation may lead to a system take over by an attacker

CVE ID : CVE-2023-44279
Source : security_alert@emc.com
CVSS Score : 6.7

References :
https://www.dell.com/support/kbdoc/en-us/000220264/dsa-2023-412-dell-technologies-powerprotect-security-update-for-multiple-security-vulnerabilities | source : security_alert@emc.com

Vulnerability : CWE-78


Vulnerability ID : CVE-2023-48661

First published on : 14-12-2023 16:15:49
Last modified on : 14-12-2023 17:17:58

Description :
Dell vApp Manager, versions prior to 9.2.4.x contain an arbitrary file read vulnerability. A remote malicious user with high privileges could potentially exploit this vulnerability to read arbitrary files from the target system.

CVE ID : CVE-2023-48661
Source : security_alert@emc.com
CVSS Score : 4.9

References :
https://www.dell.com/support/kbdoc/en-us/000220427/dsa-2023-443-dell-powermaxos-5978-dell-unisphere-360-dell-unisphere-for-powermax-dell-unisphere-for-powermax-virtual-appliance-dell-solutions-enabler-virtual-appliance-and-dell-powermax-eem-security-update-for-multiple-vulnerabilities | source : security_alert@emc.com

Vulnerability : CWE-552


Vulnerability ID : CVE-2023-44284

First published on : 14-12-2023 16:15:46
Last modified on : 14-12-2023 17:17:58

Description :
Dell PowerProtect DD , versions prior to 7.13.0.10, LTS 7.7.5.25, LTS 7.10.1.15, 6.2.1.110 contain an SQL Injection vulnerability. A remote low privileged attacker could potentially exploit this vulnerability, leading to the execution of certain SQL commands on the application's backend database causing unauthorized read access to application data.

CVE ID : CVE-2023-44284
Source : security_alert@emc.com
CVSS Score : 4.3

References :
https://www.dell.com/support/kbdoc/en-us/000220264/dsa-2023-412-dell-technologies-powerprotect-security-update-for-multiple-security-vulnerabilities | source : security_alert@emc.com

Vulnerability : CWE-89


Source : microsoft.com

Vulnerability ID : CVE-2023-21751

First published on : 14-12-2023 00:15:42
Last modified on : 14-12-2023 13:52:16

Description :
Azure DevOps Server Spoofing Vulnerability

CVE ID : CVE-2023-21751
Source : secure@microsoft.com
CVSS Score : 6.5

References :
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21751 | source : secure@microsoft.com


Source : se.com

Vulnerability ID : CVE-2023-5630

First published on : 14-12-2023 05:15:13
Last modified on : 14-12-2023 13:52:06

Description :
A CWE-494: Download of Code Without Integrity Check vulnerability exists that could allow a privileged user to install an untrusted firmware.

CVE ID : CVE-2023-5630
Source : cybersecurity@se.com
CVSS Score : 6.5

References :
https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2023-346-01&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2023-346-01.pdf | source : cybersecurity@se.com

Vulnerability : CWE-494


Vulnerability ID : CVE-2023-6407

First published on : 14-12-2023 05:15:14
Last modified on : 14-12-2023 13:52:06

Description :
A CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability exists that could cause arbitrary file deletion upon service restart when accessed by a local and low-privileged attacker.

CVE ID : CVE-2023-6407
Source : cybersecurity@se.com
CVSS Score : 5.3

References :
https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2023-346-03&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2023-346-03.pdf | source : cybersecurity@se.com

Vulnerability : CWE-22


Source : zte.com.cn

Vulnerability ID : CVE-2023-25648

First published on : 14-12-2023 07:15:07
Last modified on : 14-12-2023 13:52:06

Description :
There is a weak folder permission vulnerability in ZTE's ZXCLOUD iRAI product. Due to weak folder permission, an attacker with ordinary user privileges could construct a fake DLL to execute command to escalate local privileges.

CVE ID : CVE-2023-25648
Source : psirt@zte.com.cn
CVSS Score : 6.5

References :
https://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1032584 | source : psirt@zte.com.cn

Vulnerability : CWE-732


Vulnerability ID : CVE-2023-25650

First published on : 14-12-2023 07:15:07
Last modified on : 14-12-2023 13:52:06

Description :
There is an arbitrary file download vulnerability in ZXCLOUD iRAI. Since the backend does not escape special strings or restrict paths, an attacker with user permission could access the download interface by modifying the request parameter, causing arbitrary file downloads.

CVE ID : CVE-2023-25650
Source : psirt@zte.com.cn
CVSS Score : 6.5

References :
https://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1032904 | source : psirt@zte.com.cn

Vulnerability : CWE-20


Vulnerability ID : CVE-2023-25644

First published on : 14-12-2023 08:15:38
Last modified on : 14-12-2023 13:51:59

Description :
There is a denial of service vulnerability in some ZTE mobile internet products. Due to insufficient validation of Web interface parameter, an attacker could use the vulnerability to perform a denial of service attack.

CVE ID : CVE-2023-25644
Source : psirt@zte.com.cn
CVSS Score : 6.5

References :
https://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1032624 | source : psirt@zte.com.cn

Vulnerability : CWE-755


Vulnerability ID : CVE-2023-25642

First published on : 14-12-2023 08:15:37
Last modified on : 14-12-2023 13:52:06

Description :
There is a buffer overflow vulnerability in some ZTE mobile internet producsts. Due to insufficient validation of tcp port parameter, an authenticated attacker could use the vulnerability to perform a denial of service attack.

CVE ID : CVE-2023-25642
Source : psirt@zte.com.cn
CVSS Score : 5.9

References :
https://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1032504 | source : psirt@zte.com.cn

Vulnerability : CWE-120


Vulnerability ID : CVE-2023-25651

First published on : 14-12-2023 07:15:08
Last modified on : 14-12-2023 13:52:06

Description :
There is a SQL injection vulnerability in some ZTE mobile internet products. Due to insufficient input validation of SMS interface parameter, an authenticated attacker could use the vulnerability to execute SQL injection and cause information leak.

CVE ID : CVE-2023-25651
Source : psirt@zte.com.cn
CVSS Score : 4.3

References :
https://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1032684 | source : psirt@zte.com.cn

Vulnerability : CWE-20


Source : patchstack.com

Vulnerability ID : CVE-2023-50371

First published on : 14-12-2023 13:15:54
Last modified on : 14-12-2023 14:15:45

Description :
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Page Visit Counter Advanced Page Visit Counter – Most Wanted Analytics Plugin for WordPress allows Stored XSS.This issue affects Advanced Page Visit Counter – Most Wanted Analytics Plugin for WordPress: from n/a through 8.0.6.

CVE ID : CVE-2023-50371
Source : audit@patchstack.com
CVSS Score : 6.5

References :
https://patchstack.com/database/vulnerability/advanced-page-visit-counter/wordpress-advanced-page-visit-counter-plugin-8-0-6-cross-site-scripting-xss-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-79


Vulnerability ID : CVE-2023-49846

First published on : 14-12-2023 14:15:44
Last modified on : 14-12-2023 14:49:08

Description :
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Paul Bearne Author Avatars List/Block allows Stored XSS.This issue affects Author Avatars List/Block: from n/a through 2.1.17.

CVE ID : CVE-2023-49846
Source : audit@patchstack.com
CVSS Score : 6.5

References :
https://patchstack.com/database/vulnerability/author-avatars/wordpress-author-avatars-list-block-plugin-2-1-16-cross-site-scripting-xss-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-79


Vulnerability ID : CVE-2023-49847

First published on : 14-12-2023 14:15:44
Last modified on : 14-12-2023 14:49:08

Description :
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Twinpictures Annual Archive allows Stored XSS.This issue affects Annual Archive: from n/a through 1.6.0.

CVE ID : CVE-2023-49847
Source : audit@patchstack.com
CVSS Score : 6.5

References :
https://patchstack.com/database/vulnerability/anual-archive/wordpress-annual-archive-plugin-1-6-0-cross-site-scripting-xss-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-79


Vulnerability ID : CVE-2023-50368

First published on : 14-12-2023 14:15:44
Last modified on : 14-12-2023 14:49:08

Description :
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Averta Shortcodes and extra features for Phlox theme allows Stored XSS.This issue affects Shortcodes and extra features for Phlox theme: from n/a through 2.15.2.

CVE ID : CVE-2023-50368
Source : audit@patchstack.com
CVSS Score : 6.5

References :
https://patchstack.com/database/vulnerability/auxin-elements/wordpress-shortcodes-and-extra-features-for-phlox-theme-plugin-2-15-2-cross-site-scripting-xss-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-79


Vulnerability ID : CVE-2023-50369

First published on : 14-12-2023 14:15:44
Last modified on : 14-12-2023 14:49:08

Description :
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Alma Alma – Pay in installments or later for WooCommerce allows Stored XSS.This issue affects Alma – Pay in installments or later for WooCommerce: from n/a through 5.1.3.

CVE ID : CVE-2023-50369
Source : audit@patchstack.com
CVSS Score : 6.5

References :
https://patchstack.com/database/vulnerability/alma-gateway-for-woocommerce/wordpress-alma-plugin-5-1-3-cross-site-scripting-xss-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-79


Vulnerability ID : CVE-2023-50370

First published on : 14-12-2023 14:15:45
Last modified on : 14-12-2023 14:49:08

Description :
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Livemesh WPBakery Page Builder Addons by Livemesh allows Stored XSS.This issue affects WPBakery Page Builder Addons by Livemesh: from n/a through 3.5.

CVE ID : CVE-2023-50370
Source : audit@patchstack.com
CVSS Score : 6.5

References :
https://patchstack.com/database/vulnerability/addons-for-visual-composer/wordpress-livemesh-addons-for-wpbakery-page-builder-plugin-3-5-cross-site-scripting-xss-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-79


Vulnerability ID : CVE-2023-49168

First published on : 14-12-2023 15:15:08
Last modified on : 14-12-2023 15:20:34

Description :
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WordPlus Better Messages – Live Chat for WordPress, BuddyPress, PeepSo, Ultimate Member, BuddyBoss allows Stored XSS.This issue affects Better Messages – Live Chat for WordPress, BuddyPress, PeepSo, Ultimate Member, BuddyBoss: from n/a through 2.4.0.

CVE ID : CVE-2023-49168
Source : audit@patchstack.com
CVSS Score : 6.5

References :
https://patchstack.com/database/vulnerability/bp-better-messages/wordpress-bp-better-messages-plugin-2-3-12-cross-site-scripting-xss-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-79


Vulnerability ID : CVE-2023-49745

First published on : 14-12-2023 15:15:09
Last modified on : 14-12-2023 15:20:34

Description :
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Spiffy Plugins Spiffy Calendar allows Stored XSS.This issue affects Spiffy Calendar: from n/a through 4.9.5.

CVE ID : CVE-2023-49745
Source : audit@patchstack.com
CVSS Score : 6.5

References :
https://patchstack.com/database/vulnerability/spiffy-calendar/wordpress-spiffy-calendar-plugin-4-9-5-cross-site-scripting-xss-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-79


Vulnerability ID : CVE-2023-49828

First published on : 14-12-2023 15:15:09
Last modified on : 14-12-2023 15:20:34

Description :
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Automattic WooPayments – Fully Integrated Solution Built and Supported by Woo allows Stored XSS.This issue affects WooPayments – Fully Integrated Solution Built and Supported by Woo: from n/a through 6.4.2.

CVE ID : CVE-2023-49828
Source : audit@patchstack.com
CVSS Score : 6.5

References :
https://patchstack.com/database/vulnerability/woocommerce-payments/wordpress-woopayments-plugin-6-4-2-cross-site-scripting-xss-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-79


Vulnerability ID : CVE-2023-49833

First published on : 14-12-2023 15:15:09
Last modified on : 14-12-2023 15:20:34

Description :
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Brainstorm Force Spectra – WordPress Gutenberg Blocks allows Stored XSS.This issue affects Spectra – WordPress Gutenberg Blocks: from n/a through 2.7.9.

CVE ID : CVE-2023-49833
Source : audit@patchstack.com
CVSS Score : 6.5

References :
https://patchstack.com/database/vulnerability/ultimate-addons-for-gutenberg/wordpress-spectra-plugin-2-7-9-cross-site-scripting-xss-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-79


Vulnerability ID : CVE-2023-49173

First published on : 14-12-2023 16:15:51
Last modified on : 14-12-2023 17:17:54

Description :
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in 10to8 Sign In Scheduling Online Appointment Booking System allows Stored XSS.This issue affects Sign In Scheduling Online Appointment Booking System: from n/a through 1.0.9.

CVE ID : CVE-2023-49173
Source : audit@patchstack.com
CVSS Score : 6.5

References :
https://patchstack.com/database/vulnerability/10to8-online-booking/wordpress-10to8-online-appointment-booking-system-plugin-1-0-9-cross-site-scripting-xss-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-79


Vulnerability ID : CVE-2023-49820

First published on : 14-12-2023 16:15:52
Last modified on : 14-12-2023 17:17:54

Description :
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Gordon Böhme, Antonio Leutsch Structured Content (JSON-LD) #wpsc allows Stored XSS.This issue affects Structured Content (JSON-LD) #wpsc: from n/a through 1.5.3.

CVE ID : CVE-2023-49820
Source : audit@patchstack.com
CVSS Score : 6.5

References :
https://patchstack.com/database/vulnerability/structured-content/wordpress-structured-content-json-ld-wpsc-plugin-1-5-3-cross-site-scripting-xss-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-79


Vulnerability ID : CVE-2023-48770

First published on : 14-12-2023 17:15:08
Last modified on : 14-12-2023 17:17:50

Description :
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Nima Saberi Aparat allows Stored XSS.This issue affects Aparat: from n/a through 1.7.1.

CVE ID : CVE-2023-48770
Source : audit@patchstack.com
CVSS Score : 6.5

References :
https://patchstack.com/database/vulnerability/aparat/wordpress-aparat-plugin-1-7-1-cross-site-scripting-xss-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-79


Vulnerability ID : CVE-2023-48780

First published on : 14-12-2023 17:15:08
Last modified on : 14-12-2023 17:17:50

Description :
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in EnigmaWeb WP Catalogue allows Stored XSS.This issue affects WP Catalogue: from n/a through 1.7.6.

CVE ID : CVE-2023-48780
Source : audit@patchstack.com
CVSS Score : 6.5

References :
https://patchstack.com/database/vulnerability/wp-catalogue/wordpress-wp-catalogue-plugin-1-7-6-cross-site-scripting-xss-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-79


Vulnerability ID : CVE-2023-49149

First published on : 14-12-2023 17:15:09
Last modified on : 14-12-2023 17:17:50

Description :
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CurrencyRate.Today Currency Converter Calculator allows Stored XSS.This issue affects Currency Converter Calculator: from n/a through 1.3.1.

CVE ID : CVE-2023-49149
Source : audit@patchstack.com
CVSS Score : 6.5

References :
https://patchstack.com/database/vulnerability/currency-converter-calculator/wordpress-currency-converter-calculator-plugin-1-3-1-cross-site-scripting-xss-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-79


Vulnerability ID : CVE-2023-49150

First published on : 14-12-2023 17:15:09
Last modified on : 14-12-2023 17:17:50

Description :
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CurrencyRate.Today Crypto Converter Widget allows Stored XSS.This issue affects Crypto Converter Widget: from n/a through 1.8.1.

CVE ID : CVE-2023-49150
Source : audit@patchstack.com
CVSS Score : 6.5

References :
https://patchstack.com/database/vulnerability/crypto-converter-widget/wordpress-crypto-converter-widget-plugin-1-8-1-cross-site-scripting-xss-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-79


Vulnerability ID : CVE-2023-49860

First published on : 14-12-2023 17:15:09
Last modified on : 14-12-2023 17:17:50

Description :
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in weDevs WP Project Manager – Task, team, and project management plugin featuring kanban board and gantt charts allows Stored XSS.This issue affects WP Project Manager – Task, team, and project management plugin featuring kanban board and gantt charts: from n/a through 2.6.7.

CVE ID : CVE-2023-49860
Source : audit@patchstack.com
CVSS Score : 6.5

References :
https://patchstack.com/database/vulnerability/wedevs-project-manager/wordpress-wp-project-manager-plugin-2-6-7-cross-site-scripting-xss-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-79


Vulnerability ID : CVE-2023-49151

First published on : 14-12-2023 18:15:44
Last modified on : 14-12-2023 19:26:01

Description :
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Simple Calendar Simple Calendar – Google Calendar Plugin allows Stored XSS.This issue affects Simple Calendar – Google Calendar Plugin: from n/a through 3.2.6.

CVE ID : CVE-2023-49151
Source : audit@patchstack.com
CVSS Score : 6.5

References :
https://patchstack.com/database/vulnerability/google-calendar-events/wordpress-google-calendar-events-plugin-3-2-6-cross-site-scripting-xss-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-79


Vulnerability ID : CVE-2023-49152

First published on : 14-12-2023 18:15:44
Last modified on : 14-12-2023 19:26:01

Description :
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Labs64 Credit Tracker allows Stored XSS.This issue affects Credit Tracker: from n/a through 1.1.17.

CVE ID : CVE-2023-49152
Source : audit@patchstack.com
CVSS Score : 6.5

References :
https://patchstack.com/database/vulnerability/credit-tracker/wordpress-credit-tracker-plugin-1-1-17-cross-site-scripting-xss-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-79


Vulnerability ID : CVE-2023-49836

First published on : 14-12-2023 14:15:43
Last modified on : 14-12-2023 14:49:08

Description :
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Brontobytes Cookie Bar allows Stored XSS.This issue affects Cookie Bar: from n/a through 2.0.

CVE ID : CVE-2023-49836
Source : audit@patchstack.com
CVSS Score : 5.9

References :
https://patchstack.com/database/vulnerability/cookie-bar/wordpress-cookie-bar-plugin-2-0-cross-site-scripting-xss-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-79


Vulnerability ID : CVE-2023-49743

First published on : 14-12-2023 15:15:09
Last modified on : 14-12-2023 15:20:34

Description :
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Jeff Starr Dashboard Widgets Suite allows Stored XSS.This issue affects Dashboard Widgets Suite: from n/a through 3.4.1.

CVE ID : CVE-2023-49743
Source : audit@patchstack.com
CVSS Score : 5.9

References :
https://patchstack.com/database/vulnerability/dashboard-widgets-suite/wordpress-dashboard-widgets-suite-plugin-3-4-1-cross-site-scripting-xss-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-79


Vulnerability ID : CVE-2023-49195

First published on : 14-12-2023 16:15:51
Last modified on : 14-12-2023 17:17:54

Description :
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Kyle Phillips Nested Pages allows Stored XSS.This issue affects Nested Pages: from n/a through 3.2.6.

CVE ID : CVE-2023-49195
Source : audit@patchstack.com
CVSS Score : 5.9

References :
https://patchstack.com/database/vulnerability/wp-nested-pages/wordpress-nested-pages-plugin-3-2-6-cross-site-scripting-xss-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-79


Vulnerability ID : CVE-2023-49770

First published on : 14-12-2023 16:15:51
Last modified on : 14-12-2023 17:17:54

Description :
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Peter Raschendorfer Smart External Link Click Monitor [Link Log] allows Stored XSS.This issue affects Smart External Link Click Monitor [Link Log]: from n/a through 5.0.2.

CVE ID : CVE-2023-49770
Source : audit@patchstack.com
CVSS Score : 5.9

References :
https://patchstack.com/database/vulnerability/link-log/wordpress-smart-external-link-click-monitor-link-log-plugin-5-0-2-cross-site-scripting-xss-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-79


Vulnerability ID : CVE-2023-49841

First published on : 14-12-2023 16:15:52
Last modified on : 14-12-2023 17:17:54

Description :
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in FancyThemes Optin Forms – Simple List Building Plugin for WordPress allows Stored XSS.This issue affects Optin Forms – Simple List Building Plugin for WordPress: from n/a through 1.3.3.

CVE ID : CVE-2023-49841
Source : audit@patchstack.com
CVSS Score : 5.9

References :
https://patchstack.com/database/vulnerability/optin-forms/wordpress-optin-forms-plugin-1-3-3-cross-site-scripting-xss-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-79


Vulnerability ID : CVE-2023-49842

First published on : 14-12-2023 17:15:09
Last modified on : 14-12-2023 17:17:50

Description :
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wpexpertsio Rocket Maintenance Mode & Coming Soon Page allows Stored XSS.This issue affects Rocket Maintenance Mode & Coming Soon Page: from n/a through 4.3.

CVE ID : CVE-2023-49842
Source : audit@patchstack.com
CVSS Score : 5.9

References :
https://patchstack.com/database/vulnerability/rocket-maintenance-mode/wordpress-rocket-maintenance-mode-coming-soon-page-plugin-4-3-cross-site-scripting-xss-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-79


Vulnerability ID : CVE-2023-49157

First published on : 14-12-2023 18:15:44
Last modified on : 14-12-2023 19:26:01

Description :
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Andreas Münch Multiple Post Passwords allows Stored XSS.This issue affects Multiple Post Passwords: from n/a through 1.1.1.

CVE ID : CVE-2023-49157
Source : audit@patchstack.com
CVSS Score : 5.9

References :
https://patchstack.com/database/vulnerability/multiple-post-passwords/wordpress-multiple-post-passwords-plugin-1-1-1-cross-site-scripting-xss-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-79


Source : github.com

Vulnerability ID : CVE-2023-50713

First published on : 14-12-2023 19:15:16
Last modified on : 14-12-2023 19:26:01

Description :
Speckle Server provides server, frontend, 3D viewer, and other JavaScript utilities for the Speckle 3D data platform. A vulnerability in versions prior to 2.17.6 affects users who: authorized an application which requested a 'token write' scope or, using frontend-2, created a Personal Access Token (PAT) with `token write` scope. When creating a new token an agent needs to authorise the request with an existing token (the 'requesting token'). The requesting token is required to have token write scope in order to generate new tokens. However, Speckle server was not verifying that other privileges granted to the new token were not in excess of the privileges of the requesting token. A malicious actor could use a token with only token write scope to subsequently generate further tokens with additional privileges. These privileges would only grant privileges up to the existing privileges of the user. This vulnerability cannot be used to escalate a user's privileges or grant privileges on behalf of other users. This has been patched as of version 2.17.6. All operators of Speckle servers should upgrade their server to version 2.17.6 or higher. Any users who authorized an application with 'token write' scope, or created a token in frontend-2 with `token write` scope should review existing tokens and permanently revoke any they do not recognize, revoke existing tokens and create new tokens, and review usage of their account for suspicious activity. No known workarounds for this issue exist.

CVE ID : CVE-2023-50713
Source : security-advisories@github.com
CVSS Score : 6.5

References :
https://github.com/specklesystems/speckle-server/commit/3689e1cd58ec4f06abee836af34889d6ce474571 | source : security-advisories@github.com
https://github.com/specklesystems/speckle-server/releases/tag/2.17.6 | source : security-advisories@github.com
https://github.com/specklesystems/speckle-server/security/advisories/GHSA-xpf3-5q5x-3qwh | source : security-advisories@github.com

Vulnerability : CWE-1220


Vulnerability ID : CVE-2023-49294

First published on : 14-12-2023 20:15:52
Last modified on : 14-12-2023 22:44:49

Description :
Asterisk is an open source private branch exchange and telephony toolkit. In Asterisk prior to versions 18.20.1, 20.5.1, and 21.0.1, as well as certified-asterisk prior to 18.9-cert6, it is possible to read any arbitrary file even when the `live_dangerously` is not enabled. This allows arbitrary files to be read. Asterisk versions 18.20.1, 20.5.1, and 21.0.1, as well as certified-asterisk prior to 18.9-cert6, contain a fix for this issue.

CVE ID : CVE-2023-49294
Source : security-advisories@github.com
CVSS Score : 4.9

References :
https://github.com/asterisk/asterisk/blob/master/main/manager.c#L3757 | source : security-advisories@github.com
https://github.com/asterisk/asterisk/commit/424be345639d75c6cb7d0bd2da5f0f407dbd0bd5 | source : security-advisories@github.com
https://github.com/asterisk/asterisk/security/advisories/GHSA-8857-hfmw-vg8f | source : security-advisories@github.com

Vulnerability : CWE-22


Vulnerability ID : CVE-2023-50710

First published on : 14-12-2023 18:15:45
Last modified on : 14-12-2023 19:26:01

Description :
Hono is a web framework written in TypeScript. Prior to version 3.11.7, clients may override named path parameter values from previous requests if the application is using TrieRouter. So, there is a risk that a privileged user may use unintended parameters when deleting REST API resources. TrieRouter is used either explicitly or when the application matches a pattern that is not supported by the default RegExpRouter. Version 3.11.7 includes the change to fix this issue. As a workaround, avoid using TrieRouter directly.

CVE ID : CVE-2023-50710
Source : security-advisories@github.com
CVSS Score : 4.2

References :
https://github.com/honojs/hono/commit/8e2b6b08518998783f66d31db4f21b1b1eecc4c8 | source : security-advisories@github.com
https://github.com/honojs/hono/releases/tag/v3.11.7 | source : security-advisories@github.com
https://github.com/honojs/hono/security/advisories/GHSA-f6gv-hh8j-q8vq | source : security-advisories@github.com

Vulnerability : CWE-94


Source : us.ibm.com

Vulnerability ID : CVE-2023-45184

First published on : 14-12-2023 02:15:12
Last modified on : 14-12-2023 13:52:06

Description :
IBM i Access Client Solutions 1.1.2 through 1.1.4 and 1.1.4.3 through 1.1.9.3 could allow an attacker to obtain a decryption key due to improper authority checks. IBM X-Force ID: 268270.

CVE ID : CVE-2023-45184
Source : psirt@us.ibm.com
CVSS Score : 6.2

References :
https://exchange.xforce.ibmcloud.com/vulnerabilities/268270 | source : psirt@us.ibm.com
https://www.ibm.com/support/pages/node/7091942 | source : psirt@us.ibm.com

Vulnerability : CWE-922


Vulnerability ID : CVE-2022-43843

First published on : 14-12-2023 01:15:07
Last modified on : 14-12-2023 13:52:16

Description :
IBM Spectrum Scale 5.1.5.0 through 5.1.5.1 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 239080.

CVE ID : CVE-2022-43843
Source : psirt@us.ibm.com
CVSS Score : 5.9

References :
https://exchange.xforce.ibmcloud.com/vulnerabilities/239080 | source : psirt@us.ibm.com
https://https://www.ibm.com/support/pages/node/7094941 | source : psirt@us.ibm.com

Vulnerability : CWE-327


Source : ubuntu.com

Vulnerability ID : CVE-2023-49342

First published on : 14-12-2023 22:15:42
Last modified on : 14-12-2023 22:44:49

Description :
Temporary data passed between application components by Budgie Extras Clockworks applet could potentially be viewed or manipulated. The data is stored in a location that is accessible to any user who has local access to the system. Attackers may pre-create and control this file to present false information to users or deny access to the application and panel.

CVE ID : CVE-2023-49342
Source : security@ubuntu.com
CVSS Score : 6.0

References :
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-49342 | source : security@ubuntu.com
https://github.com/UbuntuBudgie/budgie-extras/security/advisories/GHSA-2vfg-p2h9-wg39 | source : security@ubuntu.com
https://ubuntu.com/security/notices/USN-6556-1 | source : security@ubuntu.com

Vulnerability : CWE-377
Vulnerability : CWE-668


Vulnerability ID : CVE-2023-49343

First published on : 14-12-2023 22:15:43
Last modified on : 14-12-2023 22:44:49

Description :
Temporary data passed between application components by Budgie Extras Dropby applet could potentially be viewed or manipulated. The data is stored in a location that is accessible to any user who has local access to the system. Attackers may pre-create and control this file to present false information to users or deny access to the application and panel.

CVE ID : CVE-2023-49343
Source : security@ubuntu.com
CVSS Score : 6.0

References :
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-49343 | source : security@ubuntu.com
https://github.com/UbuntuBudgie/budgie-extras/security/advisories/GHSA-27g2-7x65-3cc5 | source : security@ubuntu.com
https://ubuntu.com/security/notices/USN-6556-1 | source : security@ubuntu.com

Vulnerability : CWE-337
Vulnerability : CWE-668


Vulnerability ID : CVE-2023-49344

First published on : 14-12-2023 22:15:43
Last modified on : 14-12-2023 22:44:49

Description :
Temporary data passed between application components by Budgie Extras Window Shuffler applet could potentially be viewed or manipulated. The data is stored in a location that is accessible to any user who has local access to the system. Attackers may pre-create and control this file to present false information to users or deny access to the application and panel.

CVE ID : CVE-2023-49344
Source : security@ubuntu.com
CVSS Score : 6.0

References :
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-49344 | source : security@ubuntu.com
https://github.com/UbuntuBudgie/budgie-extras/security/advisories/GHSA-rhwf-6fc9-9jvm | source : security@ubuntu.com
https://ubuntu.com/security/notices/USN-6556-1 | source : security@ubuntu.com

Vulnerability : CWE-377
Vulnerability : CWE-668


Vulnerability ID : CVE-2023-49345

First published on : 14-12-2023 22:15:43
Last modified on : 14-12-2023 22:44:49

Description :
Temporary data passed between application components by Budgie Extras Takeabreak applet could potentially be viewed or manipulated. The data is stored in a location that is accessible to any user who has local access to the system. Attackers may pre-create and control this file to present false information to users or deny access to the application and panel.

CVE ID : CVE-2023-49345
Source : security@ubuntu.com
CVSS Score : 6.0

References :
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-49345 | source : security@ubuntu.com
https://github.com/UbuntuBudgie/budgie-extras/security/advisories/GHSA-rvhc-rch9-j943 | source : security@ubuntu.com
https://ubuntu.com/security/notices/USN-6556-1 | source : security@ubuntu.com

Vulnerability : CWE-377
Vulnerability : CWE-668


Vulnerability ID : CVE-2023-49346

First published on : 14-12-2023 22:15:43
Last modified on : 14-12-2023 22:44:49

Description :
Temporary data passed between application components by Budgie Extras WeatherShow applet could potentially be viewed or manipulated. The data is stored in a location that is accessible to any user who has local access to the system. Attackers may pre-create and control this file to present false information to users or deny access to the application and panel.

CVE ID : CVE-2023-49346
Source : security@ubuntu.com
CVSS Score : 6.0

References :
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-49346 | source : security@ubuntu.com
https://github.com/UbuntuBudgie/budgie-extras/security/advisories/GHSA-rffw-gg7p-5688 | source : security@ubuntu.com
https://ubuntu.com/security/notices/USN-6556-1 | source : security@ubuntu.com

Vulnerability : CWE-377
Vulnerability : CWE-668


Vulnerability ID : CVE-2023-49347

First published on : 14-12-2023 22:15:43
Last modified on : 14-12-2023 22:44:49

Description :
Temporary data passed between application components by Budgie Extras Windows Previews could potentially be viewed or manipulated. The data is stored in a location that is accessible to any user who has local access to the system. Attackers may read private information from windows, present false information to users, or deny access to the application.

CVE ID : CVE-2023-49347
Source : security@ubuntu.com
CVSS Score : 6.0

References :
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-49347 | source : security@ubuntu.com
https://github.com/UbuntuBudgie/budgie-extras/security/advisories/GHSA-xxfq-fqfp-cpvj | source : security@ubuntu.com
https://ubuntu.com/security/notices/USN-6556-1 | source : security@ubuntu.com

Vulnerability : CWE-377
Vulnerability : CWE-668


Source : progress.com

Vulnerability ID : CVE-2023-6368

First published on : 14-12-2023 16:15:54
Last modified on : 14-12-2023 17:17:50

Description :
In WhatsUp Gold versions released before 2023.1, an API endpoint was found to be missing an authentication mechanism. It is possible for an unauthenticated attacker to enumerate information related to a registered device being monitored by WhatsUp Gold.

CVE ID : CVE-2023-6368
Source : security@progress.com
CVSS Score : 5.9

References :
https://community.progress.com/s/article/WhatsUp-Gold-Security-Bulletin-December-2023 | source : security@progress.com
https://www.progress.com/network-monitoring | source : security@progress.com

Vulnerability : CWE-862


Source : huntr.dev

Vulnerability ID : CVE-2023-6571

First published on : 14-12-2023 13:15:55
Last modified on : 14-12-2023 13:51:59

Description :
Cross-site Scripting (XSS) - Reflected in kubeflow/kubeflow

CVE ID : CVE-2023-6571
Source : security@huntr.dev
CVSS Score : 5.4

References :
https://huntr.com/bounties/f02781e7-2a53-4c66-aa32-babb16434632 | source : security@huntr.dev

Vulnerability : CWE-79


Source : hitachienergy.com

Vulnerability ID : CVE-2023-5769

First published on : 14-12-2023 17:15:09
Last modified on : 14-12-2023 17:17:50

Description :
A vulnerability exists in the webserver that affects the RTU500 series product versions listed below. A malicious actor could perform cross-site scripting on the webserver due to user input being improperly sanitized.

CVE ID : CVE-2023-5769
Source : cybersecurity@hitachienergy.com
CVSS Score : 5.4

References :
https://publisher.hitachienergy.com/preview?DocumentId=8DBD000176&languageCode=en&Preview=true | source : cybersecurity@hitachienergy.com


Source : adobe.com

Vulnerability ID : CVE-2023-48631

First published on : 14-12-2023 13:15:54
Last modified on : 14-12-2023 13:51:59

Description :
@adobe/css-tools versions 4.3.1 and earlier are affected by an Improper Input Validation vulnerability that could result in a denial of service while attempting to parse CSS.

CVE ID : CVE-2023-48631
Source : psirt@adobe.com
CVSS Score : 5.3

References :
https://github.com/adobe/css-tools/security/advisories/GHSA-prr3-c3m5-p7q2 | source : psirt@adobe.com

Vulnerability : CWE-20


Source : redhat.com

Vulnerability ID : CVE-2023-6134

First published on : 14-12-2023 22:15:44
Last modified on : 14-12-2023 22:44:49

Description :
A flaw was found in Keycloak that prevents certain schemes in redirects, but permits them if a wildcard is appended to the token. This issue could allow an attacker to submit a specially crafted request leading to cross-site scripting (XSS) or further attacks. This flaw is the result of an incomplete fix for CVE-2020-10748.

CVE ID : CVE-2023-6134
Source : secalert@redhat.com
CVSS Score : 4.6

References :
https://access.redhat.com/errata/RHSA-2023:7854 | source : secalert@redhat.com
https://access.redhat.com/errata/RHSA-2023:7855 | source : secalert@redhat.com
https://access.redhat.com/errata/RHSA-2023:7856 | source : secalert@redhat.com
https://access.redhat.com/errata/RHSA-2023:7857 | source : secalert@redhat.com
https://access.redhat.com/errata/RHSA-2023:7858 | source : secalert@redhat.com
https://access.redhat.com/errata/RHSA-2023:7860 | source : secalert@redhat.com
https://access.redhat.com/errata/RHSA-2023:7861 | source : secalert@redhat.com
https://access.redhat.com/security/cve/CVE-2023-6134 | source : secalert@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=2249673 | source : secalert@redhat.com

Vulnerability : CWE-75


Source : cert.vde.com

Vulnerability ID : CVE-2023-6545

First published on : 14-12-2023 14:15:45
Last modified on : 14-12-2023 14:49:08

Description :
The package authelia-bhf included in Beckhoffs TwinCAT/BSD is prone to an open redirect that allows a remote unprivileged attacker to redirect a user to another site. This may have limited impact to integrity and does solely affect anthelia-bhf the Beckhoff fork of authelia.

CVE ID : CVE-2023-6545
Source : info@cert.vde.com
CVSS Score : 4.3

References :
https://cert.vde.com/en/advisories/VDE-2023-067/ | source : info@cert.vde.com
https://download.beckhoff.com/download/Document/product-security/Advisories/advisory-2023-001.pdf | source : info@cert.vde.com

Vulnerability : CWE-601


Source : octopus.com

Vulnerability ID : CVE-2023-1904

First published on : 14-12-2023 08:15:36
Last modified on : 14-12-2023 13:52:06

Description :
In affected versions of Octopus Server it is possible for the OpenID client secret to be logged in clear text during the configuration of Octopus Server.

CVE ID : CVE-2023-1904
Source : security@octopus.com
CVSS Score : 4.2

References :
https://advisories.octopus.com/post/2023/sa2023-12/ | source : security@octopus.com


(1) LOW VULNERABILITIES [0.1, 3.9]

Source : acronis.com

Vulnerability ID : CVE-2023-48676

First published on : 14-12-2023 14:15:43
Last modified on : 14-12-2023 14:49:08

Description :
Sensitive information disclosure and manipulation due to missing authorization. The following products are affected: Acronis Cyber Protect Cloud Agent (Windows) before build 36943.

CVE ID : CVE-2023-48676
Source : security@acronis.com
CVSS Score : 3.3

References :
https://security-advisory.acronis.com/advisories/SEC-5905 | source : security@acronis.com

Vulnerability : CWE-862


(49) NO SCORE VULNERABILITIES [0.0, 0.0]

Source : mitre.org

Vulnerability ID : CVE-2023-40921

First published on : 14-12-2023 00:15:43
Last modified on : 14-12-2023 13:52:16

Description :
SQL Injection vulnerability in functions/point_list.php in Common Services soliberte before v4.3.03 allows attackers to obtain sensitive information via the lat and lng parameters.

CVE ID : CVE-2023-40921
Source : cve@mitre.org
CVSS Score : /

References :
https://security.friendsofpresta.org/modules/2023/12/12/soliberte.html | source : cve@mitre.org


Vulnerability ID : CVE-2023-41618

First published on : 14-12-2023 00:15:43
Last modified on : 14-12-2023 13:52:16

Description :
Emlog Pro v2.1.14 was discovered to contain a reflective cross-site scripting (XSS) vulnerability via the component /admin/article.php?active_savedraft.

CVE ID : CVE-2023-41618
Source : cve@mitre.org
CVSS Score : /

References :
https://github.com/GhostBalladw/wuhaozhe-s-CVE/blob/main/CVE-2023-41618 | source : cve@mitre.org


Vulnerability ID : CVE-2023-31546

First published on : 14-12-2023 01:15:07
Last modified on : 14-12-2023 13:52:16

Description :
Cross Site Scripting (XSS) vulnerability in DedeBIZ v6.0.3 allows attackers to run arbitrary code via the search feature.

CVE ID : CVE-2023-31546
Source : cve@mitre.org
CVSS Score : /

References :
https://github.com/ran9ege/CVE-2023-31546/blob/main/CVE-2023-31546.md | source : cve@mitre.org


Vulnerability ID : CVE-2023-49933

First published on : 14-12-2023 05:15:08
Last modified on : 14-12-2023 13:52:06

Description :
An issue was discovered in SchedMD Slurm 22.05.x, 23.02.x, and 23.11.x. There is Improper Enforcement of Message Integrity During Transmission in a Communication Channel. This allows attackers to modify RPC traffic in a way that bypasses message hash checks. The fixed versions are 22.05.11, 23.02.7, and 23.11.1.

CVE ID : CVE-2023-49933
Source : cve@mitre.org
CVSS Score : /

References :
https://lists.schedmd.com/pipermail/slurm-announce/2023/000103.html | source : cve@mitre.org
https://www.schedmd.com/security-archive.php | source : cve@mitre.org


Vulnerability ID : CVE-2023-49934

First published on : 14-12-2023 05:15:10
Last modified on : 14-12-2023 13:52:06

Description :
An issue was discovered in SchedMD Slurm 23.11.x. There is SQL Injection against the SlurmDBD database. The fixed version is 23.11.1.

CVE ID : CVE-2023-49934
Source : cve@mitre.org
CVSS Score : /

References :
https://lists.schedmd.com/pipermail/slurm-announce/2023/000103.html | source : cve@mitre.org
https://www.schedmd.com/security-archive.php | source : cve@mitre.org


Vulnerability ID : CVE-2023-49935

First published on : 14-12-2023 05:15:10
Last modified on : 14-12-2023 13:52:06

Description :
An issue was discovered in SchedMD Slurm 23.02.x and 23.11.x. There is Incorrect Access Control because of a slurmd Message Integrity Bypass. An attacker can reuse root-level authentication tokens during interaction with the slurmd process. This bypasses the RPC message hashes that protect against undesired MUNGE credential reuse. The fixed versions are 23.02.7 and 23.11.1.

CVE ID : CVE-2023-49935
Source : cve@mitre.org
CVSS Score : /

References :
https://lists.schedmd.com/pipermail/slurm-announce/2023/000103.html | source : cve@mitre.org
https://www.schedmd.com/security-archive.php | source : cve@mitre.org


Vulnerability ID : CVE-2023-49936

First published on : 14-12-2023 05:15:10
Last modified on : 14-12-2023 13:52:06

Description :
An issue was discovered in SchedMD Slurm 22.05.x, 23.02.x, and 23.11.x. A NULL pointer dereference leads to denial of service. The fixed versions are 22.05.11, 23.02.7, and 23.11.1.

CVE ID : CVE-2023-49936
Source : cve@mitre.org
CVSS Score : /

References :
https://lists.schedmd.com/pipermail/slurm-announce/2023/000103.html | source : cve@mitre.org
https://www.schedmd.com/security-archive.php | source : cve@mitre.org


Vulnerability ID : CVE-2023-49937

First published on : 14-12-2023 05:15:11
Last modified on : 14-12-2023 13:52:06

Description :
An issue was discovered in SchedMD Slurm 22.05.x, 23.02.x, and 23.11.x. Because of a double free, attackers can cause a denial of service or possibly execute arbitrary code. The fixed versions are 22.05.11, 23.02.7, and 23.11.1.

CVE ID : CVE-2023-49937
Source : cve@mitre.org
CVSS Score : /

References :
https://lists.schedmd.com/pipermail/slurm-announce/2023/000103.html | source : cve@mitre.org
https://www.schedmd.com/security-archive.php | source : cve@mitre.org


Vulnerability ID : CVE-2023-49938

First published on : 14-12-2023 05:15:11
Last modified on : 14-12-2023 13:52:06

Description :
An issue was discovered in SchedMD Slurm 22.05.x and 23.02.x. There is Incorrect Access Control: an attacker can modified their extended group list that is used with the sbcast subsystem, and open files with an unauthorized set of extended groups. The fixed versions are 22.05.11 and 23.02.7.

CVE ID : CVE-2023-49938
Source : cve@mitre.org
CVSS Score : /

References :
https://lists.schedmd.com/pipermail/slurm-announce/2023/000103.html | source : cve@mitre.org
https://www.schedmd.com/security-archive.php | source : cve@mitre.org


Vulnerability ID : CVE-2023-44709

First published on : 14-12-2023 06:15:42
Last modified on : 14-12-2023 13:52:06

Description :
PlutoSVG commit 336c02997277a1888e6ccbbbe674551a0582e5c4 and before was discovered to contain an integer overflow via the component plutosvg_load_from_memory.

CVE ID : CVE-2023-44709
Source : cve@mitre.org
CVSS Score : /

References :
https://gist.github.com/sunwithmoon/3f810c27d2e553f9d31bd7c50566f15b#file-cve-2023-44709 | source : cve@mitre.org
https://github.com/sammycage/plutosvg/issues/7 | source : cve@mitre.org


Vulnerability ID : CVE-2023-48084

First published on : 14-12-2023 07:15:08
Last modified on : 14-12-2023 13:52:06

Description :
Nagios XI before version 5.11.3 was discovered to contain a SQL injection vulnerability via the bulk modification tool.

CVE ID : CVE-2023-48084
Source : cve@mitre.org
CVSS Score : /

References :
https://www.nagios.com/products/security/ | source : cve@mitre.org


Vulnerability ID : CVE-2023-48085

First published on : 14-12-2023 07:15:09
Last modified on : 14-12-2023 13:52:06

Description :
Nagios XI before version 5.11.3 was discovered to contain a remote code execution (RCE) vulnerability via the component command_test.php.

CVE ID : CVE-2023-48085
Source : cve@mitre.org
CVSS Score : /

References :
https://www.nagios.com/products/security/ | source : cve@mitre.org


Vulnerability ID : CVE-2023-46348

First published on : 14-12-2023 09:15:42
Last modified on : 14-12-2023 13:51:59

Description :
SQL njection vulnerability in SunnyToo sturls before version 1.1.13, allows attackers to escalate privileges and obtain sensitive information via StUrls::hookActionDispatcher and StUrls::getInstanceId methods.

CVE ID : CVE-2023-46348
Source : cve@mitre.org
CVSS Score : /

References :
https://security.friendsofpresta.org/modules/2023/12/07/sturls.html | source : cve@mitre.org


Vulnerability ID : CVE-2023-48925

First published on : 14-12-2023 09:15:42
Last modified on : 14-12-2023 13:51:59

Description :
SQL injection vulnerability in Buy Addons bavideotab before version 1.0.6, allows attackers to escalate privileges and obtain sensitive information via the component BaVideoTabSaveVideoModuleFrontController::run().

CVE ID : CVE-2023-48925
Source : cve@mitre.org
CVSS Score : /

References :
https://security.friendsofpresta.org/modules/2023/12/07/bavideotab.html | source : cve@mitre.org


Vulnerability ID : CVE-2023-50011

First published on : 14-12-2023 15:15:10
Last modified on : 14-12-2023 15:20:34

Description :
PopojiCMS version 2.0.1 is vulnerable to remote command execution in the Meta Social field.

CVE ID : CVE-2023-50011
Source : cve@mitre.org
CVSS Score : /

References :
https://packetstormsecurity.com/files/175924/PopojiCMS-2.0.1-Remote-Command-Execution.html | source : cve@mitre.org


Vulnerability ID : CVE-2023-50073

First published on : 14-12-2023 15:15:10
Last modified on : 14-12-2023 15:20:34

Description :
EmpireCMS v7.5 was discovered to contain a SQL injection vulnerability via the ftppassword parameter at SetEnews.php.

CVE ID : CVE-2023-50073
Source : cve@mitre.org
CVSS Score : /

References :
https://github.com/leadscloud/EmpireCMS/issues/7 | source : cve@mitre.org


Vulnerability ID : CVE-2023-50563

First published on : 14-12-2023 15:15:10
Last modified on : 14-12-2023 15:20:34

Description :
Semcms v4.8 was discovered to contain a SQL injection vulnerability via the AID parameter at SEMCMS_Function.php.

CVE ID : CVE-2023-50563
Source : cve@mitre.org
CVSS Score : /

References :
https://github.com/SecBridge/Cms_Vuls_test/blob/main/Semcms/Semcms_Sql_Inject.md | source : cve@mitre.org


Vulnerability ID : CVE-2023-50564

First published on : 14-12-2023 15:15:10
Last modified on : 14-12-2023 15:20:34

Description :
An arbitrary file upload vulnerability in the component /inc/modules_install.php of Pluck-CMS v4.7.18 allows attackers to execute arbitrary code via uploading a crafted ZIP file.

CVE ID : CVE-2023-50564
Source : cve@mitre.org
CVSS Score : /

References :
https://github.com/SecBridge/Cms_Vuls_test/blob/main/Pluckcms/Pluck_v4.7.18_Any_File_Upload_Getshell.md | source : cve@mitre.org


Vulnerability ID : CVE-2023-50565

First published on : 14-12-2023 15:15:10
Last modified on : 14-12-2023 15:20:34

Description :
A cross-site scripting (XSS) vulnerability in the component /logs/dopost.html in RPCMS v3.5.5 allows attackers to execute arbitrary web scripts or HTML via a crafted payload.

CVE ID : CVE-2023-50565
Source : cve@mitre.org
CVSS Score : /

References :
https://github.com/ralap-z/rpcms/issues/7 | source : cve@mitre.org


Vulnerability ID : CVE-2023-50566

First published on : 14-12-2023 15:15:10
Last modified on : 14-12-2023 15:20:34

Description :
A stored cross-site scripting (XSS) vulnerability in EyouCMS-V1.6.5-UTF8-SP1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Public Security Registration Number parameter.

CVE ID : CVE-2023-50566
Source : cve@mitre.org
CVSS Score : /

References :
https://github.com/weng-xianhu/eyoucms/issues/56 | source : cve@mitre.org


Vulnerability ID : CVE-2023-50100

First published on : 14-12-2023 16:15:52
Last modified on : 14-12-2023 17:17:54

Description :
JFinalcms 5.0.0 is vulnerable to Cross Site Scripting (XSS) via carousel image editing.

CVE ID : CVE-2023-50100
Source : cve@mitre.org
CVSS Score : /

References :
https://github.com/Jarvis-616/cms/blob/master/There%20is%20a%20storage%20type%20XSS%20for%20carousel%20image%20editing.md | source : cve@mitre.org


Vulnerability ID : CVE-2023-50101

First published on : 14-12-2023 16:15:52
Last modified on : 14-12-2023 17:17:54

Description :
JFinalcms 5.0.0 is vulnerable to Cross Site Scripting (XSS) via Label management editing.

CVE ID : CVE-2023-50101
Source : cve@mitre.org
CVSS Score : /

References :
https://github.com/Jarvis-616/cms/blob/master/Label%20management%20editing%20with%20stored%20XSS.md | source : cve@mitre.org


Vulnerability ID : CVE-2023-50102

First published on : 14-12-2023 16:15:52
Last modified on : 14-12-2023 17:17:54

Description :
JFinalcms 5.0.0 is vulnerable to Cross Site Scripting (XSS).

CVE ID : CVE-2023-50102
Source : cve@mitre.org
CVSS Score : /

References :
https://github.com/Jarvis-616/cms/blob/master/Content%20data%20exists%20in%20storage%20XSS%20for%20editing.md | source : cve@mitre.org


Vulnerability ID : CVE-2023-50137

First published on : 14-12-2023 16:15:52
Last modified on : 14-12-2023 17:17:54

Description :
JFinalcms 5.0.0 is vulnerable to Cross Site Scripting (XSS) in the site management office.

CVE ID : CVE-2023-50137
Source : cve@mitre.org
CVSS Score : /

References :
https://github.com/yukino-hiki/CVE/blob/main/3/There%20is%20a%20storage%20type%20xss%20in%20the%20site%20management%20office.md | source : cve@mitre.org


Vulnerability ID : CVE-2023-47261

First published on : 14-12-2023 17:15:07
Last modified on : 14-12-2023 17:17:50

Description :
Dokmee ECM 7.4.6 allows remote code execution because the response to a GettingStarted/SaveSQLConnectionAsync /#/gettingstarted request contains a connection string for privileged SQL Server database access, and xp_cmdshell can be enabled.

CVE ID : CVE-2023-47261
Source : cve@mitre.org
CVSS Score : /

References :
https://h3x0s3.github.io/CVE2023~47261/ | source : cve@mitre.org
https://www.dokmee.com/Support-Learn/Updates-Change-Log | source : cve@mitre.org


Vulnerability ID : CVE-2023-41151

First published on : 14-12-2023 19:15:16
Last modified on : 14-12-2023 19:26:01

Description :
An uncaught exception issue discovered in Softing OPC UA C++ SDK before 6.30 for Windows operating system may cause the application to crash when the server wants to send an error packet, while socket is blocked on writing.

CVE ID : CVE-2023-41151
Source : cve@mitre.org
CVSS Score : /

References :
https://industrial.softing.com/fileadmin/psirt/downloads/2023/syt-2023-3.html | source : cve@mitre.org


Vulnerability ID : CVE-2023-50017

First published on : 14-12-2023 19:15:16
Last modified on : 14-12-2023 19:26:01

Description :
Dreamer CMS v4.1.3 was discovered to contain a Cross-Site Request Forgery (CSRF) via the component /admin/database/backup

CVE ID : CVE-2023-50017
Source : cve@mitre.org
CVSS Score : /

References :
https://github.com/849200701/cms/blob/main/CSRF%20exists%20in%20the%20backup%20and%20restore%20location.md | source : cve@mitre.org


Vulnerability ID : CVE-2023-45894

First published on : 14-12-2023 20:15:52
Last modified on : 14-12-2023 22:44:49

Description :
The Remote Application Server in Parallels RAS before 19.2.23975 does not segment virtualized applications from the server, which allows a remote attacker to achieve remote code execution via standard kiosk breakout techniques.

CVE ID : CVE-2023-45894
Source : cve@mitre.org
CVSS Score : /

References :
https://github.com/Oracle-Security/CVEs/blob/main/Parallels%20Remote%20Server/readme.md | source : cve@mitre.org


Vulnerability ID : CVE-2023-50471

First published on : 14-12-2023 20:15:53
Last modified on : 14-12-2023 22:44:49

Description :
cJSON v1.7.16 was discovered to contain a segmentation violation via the function cJSON_InsertItemInArray at cJSON.c.

CVE ID : CVE-2023-50471
Source : cve@mitre.org
CVSS Score : /

References :
https://github.com/DaveGamble/cJSON/issues/802 | source : cve@mitre.org


Vulnerability ID : CVE-2023-50472

First published on : 14-12-2023 20:15:53
Last modified on : 14-12-2023 22:44:49

Description :
cJSON v1.7.16 was discovered to contain a segmentation violation via the function cJSON_SetValuestring at cJSON.c.

CVE ID : CVE-2023-50472
Source : cve@mitre.org
CVSS Score : /

References :
https://github.com/DaveGamble/cJSON/issues/803 | source : cve@mitre.org


Source : joomla.org

Vulnerability ID : CVE-2023-40627

First published on : 14-12-2023 09:15:41
Last modified on : 14-12-2023 13:51:59

Description :
A reflected XSS vulnerability was discovered in the LivingWord component for Joomla.

CVE ID : CVE-2023-40627
Source : security@joomla.org
CVSS Score : /

References :
https://extensions.joomla.org/extension/livingword/ | source : security@joomla.org

Vulnerability : CWE-79


Vulnerability ID : CVE-2023-40628

First published on : 14-12-2023 09:15:41
Last modified on : 14-12-2023 13:51:59

Description :
A reflected XSS vulnerability was discovered in the Extplorer component for Joomla.

CVE ID : CVE-2023-40628
Source : security@joomla.org
CVSS Score : /

References :
https://extensions.joomla.org/extension/extplorer/ | source : security@joomla.org

Vulnerability : CWE-79


Vulnerability ID : CVE-2023-40629

First published on : 14-12-2023 09:15:41
Last modified on : 14-12-2023 13:51:59

Description :
SQLi vulnerability in LMS Lite component for Joomla.

CVE ID : CVE-2023-40629
Source : security@joomla.org
CVSS Score : /

References :
https://extensions.joomla.org/extension/lms-lite/ | source : security@joomla.org

Vulnerability : CWE-89


Vulnerability ID : CVE-2023-40630

First published on : 14-12-2023 09:15:41
Last modified on : 14-12-2023 13:51:59

Description :
Unauthenticated LFI/SSRF in JCDashboards component for Joomla.

CVE ID : CVE-2023-40630
Source : security@joomla.org
CVSS Score : /

References :
https://extensions.joomla.org/extension/jcdashboards/ | source : security@joomla.org

Vulnerability : CWE-918


Vulnerability ID : CVE-2023-40655

First published on : 14-12-2023 09:15:41
Last modified on : 14-12-2023 13:51:59

Description :
A reflected XSS vulnerability was discovered in the Proforms Basic component for Joomla.

CVE ID : CVE-2023-40655
Source : security@joomla.org
CVSS Score : /

References :
https://extensions.joomla.org/extension/proforms-basic/ | source : security@joomla.org

Vulnerability : CWE-79


Vulnerability ID : CVE-2023-40656

First published on : 14-12-2023 09:15:41
Last modified on : 14-12-2023 13:51:59

Description :
A reflected XSS vulnerability was discovered in the Quickform component for Joomla.

CVE ID : CVE-2023-40656
Source : security@joomla.org
CVSS Score : /

References :
https://extensions.joomla.org/extension/quickform/ | source : security@joomla.org

Vulnerability : CWE-79


Vulnerability ID : CVE-2023-40657

First published on : 14-12-2023 09:15:41
Last modified on : 14-12-2023 13:51:59

Description :
A reflected XSS vulnerability was discovered in the Joomdoc component for Joomla.

CVE ID : CVE-2023-40657
Source : security@joomla.org
CVSS Score : /

References :
https://extensions.joomla.org/extension/joomdoc/ | source : security@joomla.org

Vulnerability : CWE-79


Vulnerability ID : CVE-2023-40658

First published on : 14-12-2023 09:15:41
Last modified on : 14-12-2023 13:51:59

Description :
A reflected XSS vulnerability was discovered in the Clicky Analytics Dashboard module for Joomla.

CVE ID : CVE-2023-40658
Source : security@joomla.org
CVSS Score : /

References :
https://deconf.com/clicky-analytics-dashboard-joomla/ | source : security@joomla.org

Vulnerability : CWE-79


Vulnerability ID : CVE-2023-40659

First published on : 14-12-2023 09:15:41
Last modified on : 14-12-2023 13:51:59

Description :
A reflected XSS vulnerability was discovered in the Easy Quick Contact module for Joomla.

CVE ID : CVE-2023-40659
Source : security@joomla.org
CVSS Score : /

References :
https://extensions.joomla.org/extension/contacts-and-feedback/contact-forms/easy-quick-contact/ | source : security@joomla.org

Vulnerability : CWE-79


Vulnerability ID : CVE-2023-49707

First published on : 14-12-2023 09:15:42
Last modified on : 14-12-2023 13:51:59

Description :
SQLi vulnerability in S5 Register module for Joomla.

CVE ID : CVE-2023-49707
Source : security@joomla.org
CVSS Score : /

References :
https://extensions.joomla.org/extension/s5-register/ | source : security@joomla.org

Vulnerability : CWE-89


Vulnerability ID : CVE-2023-49708

First published on : 14-12-2023 09:15:42
Last modified on : 14-12-2023 13:51:59

Description :
SQLi vulnerability in Starshop component for Joomla.

CVE ID : CVE-2023-49708
Source : security@joomla.org
CVSS Score : /

References :
https://extensions.joomla.org/extension/starshop/ | source : security@joomla.org

Vulnerability : CWE-89


Source : apache.org

Vulnerability ID : CVE-2023-46750

First published on : 14-12-2023 09:15:42
Last modified on : 14-12-2023 13:51:59

Description :
URL Redirection to Untrusted Site ('Open Redirect') vulnerability when "form" authentication is used in Apache Shiro. Mitigation: Update to Apache Shiro 1.13.0+ or 2.0.0-alpha-4+.

CVE ID : CVE-2023-46750
Source : security@apache.org
CVSS Score : /

References :
https://lists.apache.org/thread/hoc9zdyzmmrfj1zhctsvvtx844tcq6w9 | source : security@apache.org

Vulnerability : CWE-601


Source : hp.com

Vulnerability ID : CVE-2023-4694

First published on : 14-12-2023 19:15:16
Last modified on : 14-12-2023 19:26:01

Description :
Certain HP OfficeJet Pro printers are potentially vulnerable to a Denial of Service when sending a SOAP message to the service on TCP port 3911 that contains a body but no header.

CVE ID : CVE-2023-4694
Source : hp-security-alert@hp.com
CVSS Score : /

References :
https://support.hp.com/us-en/document/ish_9823639-9823677-16/hpsbpi03894 | source : hp-security-alert@hp.com


Source : google.com

Vulnerability ID : CVE-2023-6702

First published on : 14-12-2023 22:15:44
Last modified on : 14-12-2023 22:44:49

Description :
Type confusion in V8 in Google Chrome prior to 120.0.6099.109 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

CVE ID : CVE-2023-6702
Source : chrome-cve-admin@google.com
CVSS Score : /

References :
https://chromereleases.googleblog.com/2023/12/stable-channel-update-for-desktop_12.html | source : chrome-cve-admin@google.com
https://crbug.com/1501326 | source : chrome-cve-admin@google.com


Vulnerability ID : CVE-2023-6703

First published on : 14-12-2023 22:15:44
Last modified on : 14-12-2023 22:44:49

Description :
Use after free in Blink in Google Chrome prior to 120.0.6099.109 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

CVE ID : CVE-2023-6703
Source : chrome-cve-admin@google.com
CVSS Score : /

References :
https://chromereleases.googleblog.com/2023/12/stable-channel-update-for-desktop_12.html | source : chrome-cve-admin@google.com
https://crbug.com/1502102 | source : chrome-cve-admin@google.com


Vulnerability ID : CVE-2023-6704

First published on : 14-12-2023 22:15:44
Last modified on : 14-12-2023 22:44:49

Description :
Use after free in libavif in Google Chrome prior to 120.0.6099.109 allowed a remote attacker to potentially exploit heap corruption via a crafted image file. (Chromium security severity: High)

CVE ID : CVE-2023-6704
Source : chrome-cve-admin@google.com
CVSS Score : /

References :
https://chromereleases.googleblog.com/2023/12/stable-channel-update-for-desktop_12.html | source : chrome-cve-admin@google.com
https://crbug.com/1504792 | source : chrome-cve-admin@google.com


Vulnerability ID : CVE-2023-6705

First published on : 14-12-2023 22:15:44
Last modified on : 14-12-2023 22:44:49

Description :
Use after free in WebRTC in Google Chrome prior to 120.0.6099.109 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

CVE ID : CVE-2023-6705
Source : chrome-cve-admin@google.com
CVSS Score : /

References :
https://chromereleases.googleblog.com/2023/12/stable-channel-update-for-desktop_12.html | source : chrome-cve-admin@google.com
https://crbug.com/1505708 | source : chrome-cve-admin@google.com


Vulnerability ID : CVE-2023-6706

First published on : 14-12-2023 22:15:44
Last modified on : 14-12-2023 22:44:49

Description :
Use after free in FedCM in Google Chrome prior to 120.0.6099.109 allowed a remote attacker who convinced a user to engage in specific UI interaction to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

CVE ID : CVE-2023-6706
Source : chrome-cve-admin@google.com
CVSS Score : /

References :
https://chromereleases.googleblog.com/2023/12/stable-channel-update-for-desktop_12.html | source : chrome-cve-admin@google.com
https://crbug.com/1500921 | source : chrome-cve-admin@google.com


Vulnerability ID : CVE-2023-6707

First published on : 14-12-2023 22:15:44
Last modified on : 14-12-2023 22:44:49

Description :
Use after free in CSS in Google Chrome prior to 120.0.6099.109 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium)

CVE ID : CVE-2023-6707
Source : chrome-cve-admin@google.com
CVSS Score : /

References :
https://chromereleases.googleblog.com/2023/12/stable-channel-update-for-desktop_12.html | source : chrome-cve-admin@google.com
https://crbug.com/1504036 | source : chrome-cve-admin@google.com


This website uses the NVD API, but is not approved or certified by it.

About the author
Julien B.

Securitricks

Up-to-Date Cybersecurity Insights & Malware Reports

Securitricks

Great! You’ve successfully signed up.

Welcome back! You've successfully signed in.

You've successfully subscribed to Securitricks.

Success! Check your email for magic link to sign-in.

Success! Your billing info has been updated.

Your billing was not updated.