Search Results (363351 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2023-6203 1 Stellarwp 1 The Events Calendar 2024-11-21 7.5 High
The Events Calendar WordPress plugin before 6.2.8.1 discloses the content of password protected posts to unauthenticated users via a crafted request
CVE-2023-6202 1 Mattermost 1 Mattermost 2024-11-21 4.3 Medium
Mattermost fails to perform proper authorization in the /plugins/focalboard/api/v2/users endpoint allowing an attacker who is a guest user and knows the ID of another user to get their information (e.g. name, surname, nickname) via Mattermost Boards.
CVE-2023-6194 1 Eclipse 1 Memory Analyzer 2024-11-21 2.8 Low
In Eclipse Memory Analyzer versions 0.7 to 1.14.0, report definition XML files are not filtered to prohibit document type definition (DTD) references to external entities. This means that if a user chooses to use a malicious report definition XML file containing an external entity reference to generate a report then Eclipse Memory Analyzer may access external files or URLs defined via a DTD in the report definition.
CVE-2023-6193 1 Cloudflare 1 Quiche 2024-11-21 5.3 Medium
quiche v. 0.15.0 through 0.19.0 was discovered to be vulnerable to unbounded queuing of path validation messages, which could lead to excessive resource consumption. QUIC path validation (RFC 9000 Section 8.2) requires that the recipient of a PATH_CHALLENGE frame responds by sending a PATH_RESPONSE. An unauthenticated remote attacker can exploit the vulnerability by sending PATH_CHALLENGE frames and manipulating the connection (e.g. by restricting the peer's congestion window size) so that PATH_RESPONSE frames can only be sent at the slower rate than they are received; leading to storage of path validation data in an unbounded queue. Quiche versions greater than 0.19.0 address this problem.
CVE-2023-6188 1 Get-simple 1 Getsimplecms 2024-11-21 4.7 Medium
A vulnerability was found in GetSimpleCMS 3.3.16/3.4.0a. It has been rated as critical. This issue affects some unknown processing of the file /admin/theme-edit.php. The manipulation leads to code injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-245735.
CVE-2023-6181 1 Google 2 Chromecast, Chromecast Firmware 2024-11-21 9.8 Critical
An oversight in BCB handling of reboot reason that allows for persistent code execution
CVE-2023-6180 1 Cloudflare 1 Boring 2024-11-21 5.3 Medium
The tokio-boring library in version 4.0.0 is affected by a memory leak issue that can lead to excessive resource consumption and potential DoS by resource exhaustion. The set_ex_data function used by the library did not deallocate memory used by pre-existing data in memory each time after completing a TLS connection causing the program to consume more resources with each new connection.
CVE-2023-6179 1 Honeywell 1 Prowatch 2024-11-21 7.8 High
Honeywell ProWatch, 4.5, including all Service Pack versions, contain a Vulnerability in Application Server's executable folder(s). A(n) attacker could potentially exploit this vulnerability, leading to a standard user to have arbitrary system code execution. Honeywell recommends updating to the most recent version of this product, service or offering (Pro-watch 6.0.2, 6.0, 5.5.2,5.0.5).
CVE-2023-6178 1 Tenable 1 Nessus 2024-11-21 6.8 Medium
An arbitrary file write vulnerability exists where an authenticated attacker with privileges on the managing application could alter Nessus Rules variables to overwrite arbitrary files on the remote host, which could lead to a denial of service condition.
CVE-2023-6166 1 Ays-pro 1 Quiz Maker 2024-11-21 6.1 Medium
The Quiz Maker WordPress plugin before 6.4.9.5 does not escape generated URLs before outputting them in attributes, leading to Reflected Cross-Site Scripting
CVE-2023-6157 1 Checkmk 1 Checkmk 2024-11-21 7.6 High
Improper neutralization of livestatus command delimiters in ajax_search in Checkmk <= 2.0.0p39, < 2.1.0p37, and < 2.2.0p15 allows arbitrary livestatus command execution for authorized users.
CVE-2023-6156 1 Checkmk 1 Checkmk 2024-11-21 7.6 High
Improper neutralization of livestatus command delimiters in the availability timeline in Checkmk <= 2.0.0p39, < 2.1.0p37, and < 2.2.0p15 allows arbitrary livestatus command execution for authorized users.
CVE-2023-6155 1 Ays-pro 1 Quiz Maker 2024-11-21 5.3 Medium
The Quiz Maker WordPress plugin before 6.4.9.5 does not adequately authorize the `ays_quiz_author_user_search` AJAX action, allowing an unauthenticated attacker to perform a search for users of the system, ultimately leaking user email addresses.
CVE-2023-6146 1 Qualys 1 Private Cloud Platform 2024-11-21 5.7 Medium
A Qualys web application was found to have a stored XSS vulnerability resulting from the absence of HTML encoding in the presentation of logging information to users. This vulnerability allowed a user with login access to the application to introduce XSS payload via browser details. 
CVE-2023-6144 1 Armanidrisi 1 Dev Blog 2024-11-21 9.1 Critical
Dev blog v1.0 allows to exploit an account takeover through the "user" cookie. With this, an attacker can access any user's session just by knowing their username.
CVE-2023-6140 1 G5plus 1 Essential Real Estate 2024-11-21 8.8 High
The Essential Real Estate WordPress plugin before 4.4.0 does not prevent users with limited privileges on the site, like subscribers, from momentarily uploading malicious PHP files disguised as ZIP archives, which may lead to remote code execution.
CVE-2023-6131 1 Salesagility 1 Suitecrm 2024-11-21 8.8 High
Code Injection in GitHub repository salesagility/suitecrm prior to 7.14.2, 7.12.14, 8.4.2.
CVE-2023-6130 1 Salesagility 1 Suitecrm 2024-11-21 8.8 High
Path Traversal: '\..\filename' in GitHub repository salesagility/suitecrm prior to 7.14.2, 7.12.14, 8.4.2.
CVE-2023-6127 1 Salesagility 1 Suitecrm 2024-11-21 5.4 Medium
Unrestricted Upload of File with Dangerous Type in GitHub repository salesagility/suitecrm prior to 7.14.2, 7.12.14, 8.4.2.
CVE-2023-6124 1 Salesagility 1 Suitecrm 2024-11-21 4.3 Medium
Server-Side Request Forgery (SSRF) in GitHub repository salesagility/suitecrm prior to 7.14.2, 8.4.2, 7.12.14.