Search Results (366936 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2023-2182 1 Gitlab 1 Gitlab 2025-01-30 6.8 Medium
An issue has been discovered in GitLab EE affecting all versions starting from 15.10 before 15.10.5, all versions starting from 15.11 before 15.11.1. Under certain conditions when OpenID Connect is enabled on an instance, it may allow users who are marked as 'external' to become 'regular' users thus leading to privilege escalation for those users.
CVE-2022-48481 2 Apple, Jetbrains 2 Macos, Toolbox 2025-01-30 5.2 Medium
In JetBrains Toolbox App before 1.28 a DYLIB injection on macOS was possible
CVE-2023-2355 1 Acronis 1 Snap Deploy 2025-01-30 7.8 High
Local privilege escalation due to a DLL hijacking vulnerability. The following products are affected: Acronis Snap Deploy (Windows) before build 3900.
CVE-2023-27860 1 Ibm 1 Maximo Asset Management 2025-01-30 5.3 Medium
IBM Maximo Asset Management 7.6.1.2 and 7.6.1.3 could disclose sensitive information in an error message. This information could be used in further attacks against the system. IBM X-Force ID: 249207.
CVE-2023-2356 1 Lfprojects 1 Mlflow 2025-01-30 7.5 High
Relative Path Traversal in GitHub repository mlflow/mlflow prior to 2.3.1.
CVE-2023-2361 1 Pimcore 1 Pimcore 2025-01-30 5.4 Medium
Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore prior to 10.5.21.
CVE-2023-27556 1 Ibm 1 Safer Payments 2025-01-30 6.5 Medium
IBM Counter Fraud Management for Safer Payments 6.1.0.00, 6.2.0.00, 6.3.0.00 through 6.3.1.03, 6.4.0.00 through 6.4.2.02 and 6.5.0.00 does not properly allocate resources without limits or throttling which could allow a remote attacker to cause a denial of service. IBM X-Force ID: 249190.
CVE-2020-4729 1 Ibm 1 Safer Payments 2025-01-30 5.3 Medium
IBM Counter Fraud Management for Safer Payments 5.7.0.00 through 5.7.0.10, 6.0.0.00 through 6.0.0.07, 6.1.0.00 through 6.1.0.05, and 6.2.0.00 through 6.2.1.00 could allow an authenticated attacker under special circumstances to send multiple specially crafted API requests that could cause the application to crash. IBM X-Force ID: 188052.
CVE-2023-2069 1 Gitlab 1 Gitlab 2025-01-30 6.4 Medium
An issue has been discovered in GitLab affecting all versions starting from 10.0 before 12.9.8, all versions starting from 12.10 before 12.10.7, all versions starting from 13.0 before 13.0.1. A user with the role of developer could use the import project feature to leak CI/CD variables.
CVE-2023-31486 3 Http\, Perl, Redhat 4 \, Perl, Enterprise Linux and 1 more 2025-01-30 8.1 High
HTTP::Tiny before 0.083, a Perl core module since 5.13.9 and available standalone on CPAN, has an insecure default TLS configuration where users must opt in to verify certificates.
CVE-2023-30123 1 Wuzhicms 1 Wuzhicms 2025-01-30 5.4 Medium
wuzhicms v4.1.0 is vulnerable to Cross Site Scripting (XSS) in the Member Center, Account Settings.
CVE-2023-27972 1 Hp 76 Laserjet Pro M304-m305 W1a46a, Laserjet Pro M304-m305 W1a46a Firmware, Laserjet Pro M304-m305 W1a47a and 73 more 2025-01-30 9.8 Critical
Certain HP LaserJet Pro print products are potentially vulnerable to Buffer Overflow and/or Remote Code Execution.
CVE-2023-1526 1 Hp 15 Designjet Z6, Designjet Z6 Firmware, Designjet Z6dr and 12 more 2025-01-30 4.6 Medium
Certain DesignJet and PageWide XL TAA compliant models may have risk of potential information disclosure if the hard disk drive is physically removed from the printer.
CVE-2023-2343 1 Pimcore 1 Pimcore 2025-01-30 5.4 Medium
Cross-site Scripting (XSS) - DOM in GitHub repository pimcore/pimcore prior to 10.5.21.
CVE-2023-2386 1 Netgear 2 Srx5308, Srx5308 Firmware 2025-01-30 2.4 Low
A vulnerability classified as problematic has been found in Netgear SRX5308 up to 4.3.5-3. Affected is an unknown function of the file scgi-bin/platform.cgi?page=firewall_logs_email.htm of the component Web Management Interface. The manipulation of the argument smtpServer.toAddr leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-227664. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
CVE-2023-30847 1 Dena 1 H2o 2025-01-30 8.2 High
H2O is an HTTP server. In versions 2.3.0-beta2 and prior, when the reverse proxy handler tries to processes a certain type of invalid HTTP request, it tries to build an upstream URL by reading from uninitialized pointer. This behavior can lead to crashes or leak of information to back end HTTP servers. Pull request number 3229 fixes the issue. The pull request has been merged to the `master` branch in commit f010336. Users should upgrade to commit f010336 or later.
CVE-2023-2390 1 Netgear 2 Srx5308, Srx5308 Firmware 2025-01-30 2.4 Low
A vulnerability has been found in Netgear SRX5308 up to 4.3.5-3 and classified as problematic. This vulnerability affects unknown code of the file scgi-bin/platform.cgi?page=time_zone.htm of the component Web Management Interface. The manipulation of the argument ntp.server1 leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-227668. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
CVE-2023-30857 1 Aedart 1 Ion 2025-01-30 3.7 Low
@aedart/support is the support package for Ion, a monorepo for JavaScript/TypeScript packages. Prior to version `0.6.1`, there is a possible prototype pollution issue for the `MetadataRecord`, when merged with a base class' metadata object, in `meta` decorator from the `@aedart/support` package. The likelihood of exploitation is questionable, given that a class's metadata can only be set or altered when the class is decorated via `meta()`. Furthermore, object(s) of sensitive nature would have to be stored as metadata, before this can lead to a security impact. The issue has been patched in version `0.6.1`.
CVE-2023-30848 1 Pimcore 1 Pimcore 2025-01-30 8.8 High
Pimcore is an open source data and experience management platform. Prior to version 10.5.21, the admin search find API has a SQL injection vulnerability. Users should upgrade to version 10.5.21 to receive a patch or, as a workaround, apply the patch manually.
CVE-2023-30852 1 Pimcore 1 Pimcore 2025-01-30 4.4 Medium
Pimcore is an open source data and experience management platform. Prior to version 10.5.21, the `/admin/misc/script-proxy` API endpoint that is accessible by an authenticated administrator user is vulnerable to arbitrary JavaScript and CSS file read via the `scriptPath` and `scripts` parameters. The `scriptPath` parameter is not sanitized properly and is vulnerable to path traversal attack. Any JavaScript/CSS file from the application server can be read by specifying sufficient number of `../` patterns to go out from the application webroot followed by path of the folder where the file is located in the "scriptPath" parameter and the file name in the "scripts" parameter. The JavaScript file is successfully read only if the web application has read access to it. Users should update to version 10.5.21 to receive a patch or, as a workaround, apply the patch manual.