Search Results (364156 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2023-38286 2 Codecentric, Thymeleaf 2 Spring Boot Admin, Thymeleaf 2024-11-21 7.5 High
Thymeleaf through 3.1.1.RELEASE, as used in spring-boot-admin (aka Spring Boot Admin) through 3.1.1 and other products, allows sandbox bypass via crafted HTML. This may be relevant for SSTI (Server Side Template Injection) and code execution in spring-boot-admin if MailNotifier is enabled and there is write access to environment variables via the UI.
CVE-2023-38283 3 Bgp, Openbgpd, Openbsd 3 Openbgpd, Openbgpd, Openbsd 2024-11-21 5.3 Medium
In OpenBGPD before 8.1, incorrect handling of BGP update data (length of path attributes) set by a potentially distant remote actor may cause the system to incorrectly reset a session. This is fixed in OpenBSD 7.3 errata 006.
CVE-2023-38280 1 Ibm 1 Hardware Management Console 2024-11-21 8.4 High
IBM HMC (Hardware Management Console) 10.1.1010.0 and 10.2.1030.0 could allow a local user to escalate their privileges to root access on a restricted shell. IBM X-Force ID: 260740.
CVE-2023-38276 1 Ibm 1 Cognos Dashboards On Cloud Pak For Data 2024-11-21 5.9 Medium
IBM Cognos Dashboards on Cloud Pak for Data 4.7.0 exposes sensitive information in environment variables which could aid in further attacks against the system. IBM X-Force ID: 260736.
CVE-2023-38275 1 Ibm 1 Cognos Dashboards On Cloud Pak For Data 2024-11-21 5.9 Medium
IBM Cognos Dashboards on Cloud Pak for Data 4.7.0 exposes sensitive information in container images which could lead to further attacks against the system. IBM X-Force ID: 260730.
CVE-2023-38273 1 Ibm 1 Cloud Pak System 2024-11-21 7.5 High
IBM Cloud Pak System 2.3.1.1, 2.3.2.0, and 2.3.3.7 uses an inadequate account lockout setting that could allow a remote attacker to brute force account credentials. IBM X-Force ID: 260733.
CVE-2023-38268 3 Ibm, Linux, Microsoft 4 Aix, Infosphere Information Server, Linux Kernel and 1 more 2024-11-21 4.3 Medium
IBM InfoSphere Information Server 11.7 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 260585.
CVE-2023-38263 1 Ibm 1 Soar Qradar Plugin App 2024-11-21 6.5 Medium
IBM SOAR QRadar Plugin App 1.0 through 5.0.3 could allow an authenticated user to perform unauthorized actions due to improper access controls. IBM X-Force ID: 260577.
CVE-2023-38259 1 Apple 1 Macos 2024-11-21 5.5 Medium
A logic issue was addressed with improved restrictions. This issue is fixed in macOS Monterey 12.6.8, macOS Ventura 13.5, macOS Big Sur 11.7.9. An app may be able to access user-sensitive data.
CVE-2023-38258 1 Apple 1 Macos 2024-11-21 5.5 Medium
The issue was addressed with improved checks. This issue is fixed in macOS Ventura 13.5, macOS Monterey 12.6.8. Processing a 3D model may result in disclosure of process memory.
CVE-2023-38257 1 Iagona 1 Scrutisweb 2024-11-21 7.5 High
Iagona ScrutisWeb versions 2.1.37 and prior are vulnerable to an insecure direct object reference vulnerability that could allow an unauthenticated user to view profile information, including user login names and encrypted passwords.
CVE-2023-38255 1 Socomec 2 Modulys Gp, Modulys Gp Firmware 2024-11-21 6.5 Medium
A potential attacker with or without (cookie theft) access to the device would be able to include malicious code (XSS) when uploading new device configuration that could affect the intended function of the device.
CVE-2023-38218 1 Adobe 2 Commerce, Magento 2024-11-21 8.8 High
Adobe Commerce versions 2.4.7-beta1 (and earlier), 2.4.6-p2 (and earlier), 2.4.5-p4 (and earlier) and 2.4.4-p5 (and earlier) are affected by an Incorrect Authorization . An authenticated attacker can exploit this to achieve information exposure and privilege escalation.
CVE-2023-38199 1 Owasp 1 Coreruleset 2024-11-21 9.8 Critical
coreruleset (aka OWASP ModSecurity Core Rule Set) through 3.3.4 does not detect multiple Content-Type request headers on some platforms. This might allow attackers to bypass a WAF with a crafted payload, aka "Content-Type confusion" between the WAF and the backend application. This occurs when the web application relies on only the last Content-Type header. Other platforms may reject the additional Content-Type header or merge conflicting headers, leading to detection as a malformed header.
CVE-2023-38197 3 Fedoraproject, Qt, Redhat 3 Fedora, Qt, Enterprise Linux 2024-11-21 7.5 High
An issue was discovered in Qt before 5.15.15, 6.x before 6.2.10, and 6.3.x through 6.5.x before 6.5.3. There are infinite loops in recursive entity expansion.
CVE-2023-38195 1 Datalust 1 Seq 2024-11-21 4.9 Medium
Datalust Seq before 2023.2.9489 allows insertion of sensitive information into an externally accessible file or directory. This is exploitable only when external (SQL Server or PostgreSQL) metadata storage is used. Exploitation can only occur from a high-privileged user account.
CVE-2023-38194 1 Superwebmailer 1 Superwebmailer 2024-11-21 6.1 Medium
An issue was discovered in SuperWebMailer 9.00.0.01710. It allows keepalive.php XSS via a GET parameter.
CVE-2023-38193 1 Superwebmailer 1 Superwebmailer 2024-11-21 8.8 High
An issue was discovered in SuperWebMailer 9.00.0.01710. It allows Remote Code Execution via a crafted sendmail command line.
CVE-2023-38192 1 Superwebmailer 1 Superwebmailer 2024-11-21 6.1 Medium
An issue was discovered in SuperWebMailer 9.00.0.01710. It allows superadmincreate.php XSS via crafted incorrect passwords.
CVE-2023-38191 1 Superwebmailer 1 Superwebmailer 2024-11-21 6.1 Medium
An issue was discovered in SuperWebMailer 9.00.0.01710. It allows spamtest_external.php XSS via a crafted filename.