Search Results (363307 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2023-5240 1 Devolutions 1 Devolutions Server 2024-11-21 7.5 High
Improper access control in PAM propagation scripts in Devolutions Server 2023.2.8.0 and ealier allows an attack with permission to manage PAM propagation scripts to retrieve passwords stored in it via a GET request.
CVE-2023-5239 1 Cleantalk 1 Security \& Malware Scan 2024-11-21 7.5 High
The Security & Malware scan by CleanTalk WordPress plugin before 2.121 retrieves client IP addresses from potentially untrusted headers, allowing an attacker to manipulate its value. This may be used to bypass bruteforce protection.
CVE-2023-5227 1 Phpmyfaq 1 Phpmyfaq 2024-11-21 9.8 Critical
Unrestricted Upload of File with Dangerous Type in GitHub repository thorsten/phpmyfaq prior to 3.1.8.
CVE-2023-5223 1 Hdoi 1 Hcode Online Judge 2024-11-21 6.3 Medium
A vulnerability, which was classified as critical, has been found in HimitZH HOJ up to 4.6-9a65e3f. This issue affects some unknown processing of the component Topic Handler. The manipulation leads to sandbox issue. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-240365 was assigned to this vulnerability.
CVE-2023-5222 1 Viessmann 2 Vitogate 300, Vitogate 300 Firmware 2024-11-21 6.3 Medium
A vulnerability classified as critical was found in Viessmann Vitogate 300 up to 2.1.3.0. This vulnerability affects the function isValidUser of the file /cgi-bin/vitogate.cgi of the component Web Management Interface. The manipulation leads to use of hard-coded password. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-240364. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
CVE-2023-5221 1 Foru Cms Project 1 Foru Cms 2024-11-21 4.7 Medium
A vulnerability classified as critical has been found in ForU CMS. This affects an unknown part of the file /install/index.php. The manipulation of the argument db_name leads to code injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. This product does not use versioning. This is why information about affected and unaffected releases are unavailable. The associated identifier of this vulnerability is VDB-240363. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
CVE-2023-5214 1 Puppet 1 Bolt 2024-11-21 6.5 Medium
In Puppet Bolt versions prior to 3.27.4, a path to escalate privileges was identified.
CVE-2023-5210 1 Amp-cloud 1 Amp Plus 2024-11-21 6.1 Medium
The AMP+ Plus WordPress plugin through 3.0 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
CVE-2023-5209 1 Booking-wp-plugin 1 Bookly 2024-11-21 4.8 Medium
The WordPress Online Booking and Scheduling Plugin WordPress plugin before 22.5 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
CVE-2023-5203 1 Swit 1 Wp Sessions Time Monitoring Full Automatic 2024-11-21 7.5 High
The WP Sessions Time Monitoring Full Automatic WordPress plugin before 1.0.9 does not sanitize the request URL or query parameters before using them in an SQL query, allowing unauthenticated attackers to extract sensitive data from the database via blind time based SQL injection techniques, or in some cases an error/union based technique.
CVE-2023-5196 1 Mattermost 1 Mattermost 2024-11-21 6.5 Medium
Mattermost fails to enforce character limits in all possible notification props allowing an attacker to send a really long value for a notification_prop resulting in the server consuming an abnormal quantity of computing resources and possibly becoming temporarily unavailable for its users.
CVE-2023-5195 1 Mattermost 1 Mattermost 2024-11-21 6.5 Medium
Mattermost fails to properly validate the permissions when soft deleting a team allowing a team member to soft delete other teams that they are not part of
CVE-2023-5194 1 Mattermost 1 Mattermost 2024-11-21 2.7 Low
Mattermost fails to properly validate permissions when demoting and deactivating a user allowing for a system/user manager to demote / deactivate another manager
CVE-2023-5193 1 Mattermost 1 Mattermost 2024-11-21 4.9 Medium
Mattermost fails to properly check permissions when retrieving a post allowing for a System Role with the permission to manage channels to read the posts of a DM conversation.
CVE-2023-5192 1 Pimcore 2 Core, Pimcore 2024-11-21 6.5 Medium
Excessive Data Query Operations in a Large Data Table in GitHub repository pimcore/demo prior to 10.3.0.
CVE-2023-5188 1 Wago 2 Telecontrol Configurator, Wagoapprtu 2024-11-21 7.5 High
The MMS Interpreter of WagoAppRTU in versions below 1.4.6.0 which is used by the WAGO Telecontrol Configurator is vulnerable to malformed packets. An remote unauthenticated attacker could send specifically crafted packets that lead to a denial-of-service condition until restart of the affected device.
CVE-2023-5185 1 Projectworlds 1 Gym Management System Project 2024-11-21 9.1 Critical
Gym Management System Project v1.0 is vulnerable to an Insecure File Upload vulnerability on the 'file' parameter of profile/i.php page, allowing an authenticated attacker to obtain Remote Code Execution on the server hosting the application.
CVE-2023-5183 1 Illumio 1 Core Policy Compute Engine 2024-11-21 9.9 Critical
Unsafe deserialization of untrusted JSON allows execution of arbitrary code on affected releases of the Illumio PCE. Authentication to the API is required to exploit this vulnerability. The flaw exists within the network_traffic API endpoint. An attacker can leverage this vulnerability to execute code in the context of the PCE’s operating system user.  
CVE-2023-5182 1 Canonical 1 Subiquity 2024-11-21 5.5 Medium
Sensitive data could be exposed in logs of subiquity version 23.09.1 and earlier. An attacker in the adm group could use this information to find hashed passwords and possibly escalate their privilege.
CVE-2023-5180 1 Opendesign 1 Drawings Sdk 2024-11-21 7.8 High
An issue was discovered in Open Design Alliance Drawings SDK before 2024.12. A corrupted value of number of sectors used by the Fat structure in a crafted DGN file leads to an out-of-bounds write. An attacker can leverage this vulnerability to execute code in the context of the current process.