Search Results (363281 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2023-50563 1 Sem-cms 1 Semcms 2024-11-21 9.8 Critical
Semcms v4.8 was discovered to contain a SQL injection vulnerability via the AID parameter at SEMCMS_Function.php.
CVE-2023-50559 1 Openxiangshan 1 Xiangshan 2024-11-21 5.5 Medium
An issue was discovered in XiangShan v2.1, allows local attackers to obtain sensitive information via the L1D cache.
CVE-2023-50550 1 Layui 1 Layui 2024-11-21 5.4 Medium
layui up to v2.74 was discovered to contain a cross-site scripting (XSS) vulnerability via the data-content parameter.
CVE-2023-50481 1 Blinksocks 1 Blinksocks 2024-11-21 7.5 High
An issue was discovered in blinksocks version 3.3.8, allows remote attackers to obtain sensitive information via weak encryption algorithms in the component /presets/ssr-auth-chain.js.
CVE-2023-50477 1 Nos 1 Nos Client 2024-11-21 9.8 Critical
An issue was discovered in nos client version 0.6.6, allows remote attackers to escalate privileges via getRPCEndpoint.js.
CVE-2023-50473 1 Billahmed 1 Qbit Matui 2024-11-21 5.4 Medium
Cross-Site Scripting (XSS) vulnerability in bill-ahmed qbit-matUI version 1.16.4, allows remote attackers to obtain sensitive information via fixed session identifiers (SID) in index.js file.
CVE-2023-50469 1 Szlbt 2 Lbt-t300-t310, Lbt-t300-t310 Firmware 2024-11-21 9.8 Critical
Shenzhen Libituo Technology Co., Ltd LBT-T300-T310 v2.2.2.6 was discovered to contain a buffer overflow via the ApCliEncrypType parameter at /apply.cgi.
CVE-2023-50466 1 Weintek 2 Cmt2078x, Cmt2078x Firmware 2024-11-21 8.8 High
An authenticated command injection vulnerability in Weintek cMT2078X easyweb Web Version v2.1.3, OS v20220215 allows attackers to execute arbitrary code or access sensitive information via injecting a crafted payload into the HMI Name parameter.
CVE-2023-50465 1 Monicahq 1 Monica 2024-11-21 5.4 Medium
A stored cross-site scripting (XSS) vulnerability exists in Monica (aka MonicaHQ) 4.0.0 via an SVG document uploaded by an authenticated user.
CVE-2023-50463 1 Caddyserver 1 Caddy 2024-11-21 6.5 Medium
The caddy-geo-ip (aka GeoIP) middleware through 0.6.0 for Caddy 2, when trust_header X-Forwarded-For is used, allows attackers to spoof their source IP address via an X-Forwarded-For header, which may bypass a protection mechanism (trusted_proxy directive in reverse_proxy or IP address range restrictions).
CVE-2023-50457 1 Zammad 1 Zammad 2024-11-21 4.3 Medium
An issue was discovered in Zammad before 6.2.0. When listing tickets linked to a knowledge base answer, or knowledge base answers of a ticket, a user could see entries for which they lack permissions.
CVE-2023-50455 1 Zammad 1 Zammad 2024-11-21 7.5 High
An issue was discovered in Zammad before 6.2.0. Due to lack of rate limiting in the "email address verification" feature, an attacker could send many requests for a known address to cause Denial Of Service (generation of many emails, which would also spam the victim).
CVE-2023-50454 1 Zammad 1 Zammad 2024-11-21 5.9 Medium
An issue was discovered in Zammad before 6.2.0. In several subsystems, SSL/TLS was used to establish connections to external services without proper validation of hostname and certificate authority. This is exploitable by man-in-the-middle attackers.
CVE-2023-50453 1 Zammad 1 Zammad 2024-11-21 5.3 Medium
An issue was discovered in Zammad before 6.2.0. It uses the public endpoint /api/v1/signshow for its login screen. This endpoint returns internal configuration data of user object attributes, such as selectable values, which should not be visible to the public.
CVE-2023-50449 1 Jfinalcms Project 1 Jfinalcms 2024-11-21 7.5 High
JFinalCMS 5.0.0 could allow a remote attacker to read files via ../ Directory Traversal in the /common/down/file fileKey parameter.
CVE-2023-50448 1 Activeadmin 1 Activeadmin 2024-11-21 6.5 Medium
In ActiveAdmin (aka Active Admin) before 2.12.0, a concurrency issue allows a malicious actor to access potentially private data (that belongs to another user) by making CSV export requests at certain specific times.
CVE-2023-50447 3 Debian, Python, Redhat 8 Debian Linux, Pillow, Ansible Automation Platform and 5 more 2024-11-21 8.1 High
Pillow through 10.1.0 allows PIL.ImageMath.eval Arbitrary Code Execution via the environment parameter, a different vulnerability than CVE-2022-22817 (which was about the expression parameter).
CVE-2023-50446 1 Mullvad 1 Mullvad Vpn 2024-11-21 7.8 High
An issue was discovered in Mullvad VPN Windows app before 2023.6-beta1. Insufficient permissions on a directory allow any local unprivileged user to escalate privileges to SYSTEM.
CVE-2023-50445 2 Gl-inet, Gl.inet 36 Gl-a1300, Gl-a1300 Firmware, Gl-ar300m and 33 more 2024-11-21 7.8 High
Shell Injection vulnerability GL.iNet A1300 v4.4.6, AX1800 v4.4.6, AXT1800 v4.4.6, MT3000 v4.4.6, MT2500 v4.4.6, MT6000 v4.5.0, MT1300 v4.3.7, MT300N-V2 v4.3.7, AR750S v4.3.7, AR750 v4.3.7, AR300M v4.3.7, and B1300 v4.3.7., allows local attackers to execute arbitrary code via the get_system_log and get_crash_log functions of the logread module, as well as the upgrade_online function of the upgrade module.
CVE-2023-50443 2 Microsoft, Primx 2 Windows, Cryhod 2024-11-21 4.6 Medium
Encrypted disks created by PRIMX CRYHOD for Windows before Q.2020.4 (ANSSI qualification submission) or CRYHOD for Windows before 2023.5 can be modified by an unauthenticated attacker to include a UNC reference so that it could trigger outbound network traffic from computers on which disks are opened.