Total
264353 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-41936 | 1 Jenkins | 1 Google Login | 2024-09-26 | 7.5 High |
| Jenkins Google Login Plugin 1.7 and earlier uses a non-constant time comparison function when checking whether the provided and expected token are equal, potentially allowing attackers to use statistical methods to obtain a valid token. | ||||
| CVE-2023-31242 | 1 Openautomationsoftware | 1 Oas Platform | 2024-09-26 | 8.1 High |
| An authentication bypass vulnerability exists in the OAS Engine functionality of Open Automation Software OAS Platform v18.00.0072. A specially-crafted series of network requests can lead to arbitrary authentication. An attacker can send a sequence of requests to trigger this vulnerability. | ||||
| CVE-2023-41937 | 1 Jenkins | 1 Bitbucket Push And Pull Request | 2024-09-26 | 7.5 High |
| Jenkins Bitbucket Push and Pull Request Plugin 2.4.0 through 2.8.3 (both inclusive) trusts values provided in the webhook payload, including certain URLs, and uses configured Bitbucket credentials to connect to those URLs, allowing attackers to capture Bitbucket credentials stored in Jenkins by sending a crafted webhook payload. | ||||
| CVE-2023-34998 | 1 Openautomationsoftware | 1 Oas Platform | 2024-09-26 | 8.1 High |
| An authentication bypass vulnerability exists in the OAS Engine functionality of Open Automation Software OAS Platform v18.00.0072. A specially crafted series of network requests can lead to arbitrary authentication. An attacker can sniff network traffic to trigger this vulnerability. | ||||
| CVE-2023-41938 | 1 Jenkins | 1 Ivy | 2024-09-26 | 6.5 Medium |
| A cross-site request forgery (CSRF) vulnerability in Jenkins Ivy Plugin 2.5 and earlier allows attackers to delete disabled modules. | ||||
| CVE-2023-41941 | 1 Jenkins | 1 Aws Codecommit Trigger | 2024-09-26 | 4.3 Medium |
| A missing permission check in Jenkins AWS CodeCommit Trigger Plugin 3.0.12 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of AWS credentials stored in Jenkins. | ||||
| CVE-2023-41942 | 1 Jenkins | 1 Aws Codecommit Trigger | 2024-09-26 | 4.3 Medium |
| A cross-site request forgery (CSRF) vulnerability in Jenkins AWS CodeCommit Trigger Plugin 3.0.12 and earlier allows attackers to clear the SQS queue. | ||||
| CVE-2023-34353 | 1 Openautomationsoftware | 1 Oas Platform | 2024-09-26 | 7.5 High |
| An authentication bypass vulnerability exists in the OAS Engine authentication functionality of Open Automation Software OAS Platform v18.00.0072. A specially crafted network sniffing can lead to decryption of sensitive information. An attacker can sniff network traffic to trigger this vulnerability. | ||||
| CVE-2023-41943 | 1 Jenkins | 1 Aws Codecommit Trigger | 2024-09-26 | 6.5 Medium |
| Jenkins AWS CodeCommit Trigger Plugin 3.0.12 and earlier does not perform a permission check in an HTTP endpoint, allowing attackers with Overall/Read permission to clear the SQS queue. | ||||
| CVE-2023-35124 | 1 Openautomationsoftware | 1 Oas Platform | 2024-09-26 | 3.1 Low |
| An information disclosure vulnerability exists in the OAS Engine configuration management functionality of Open Automation Software OAS Platform v18.00.0072. A specially crafted series of network requests can lead to a disclosure of sensitive information. An attacker can send a sequence of requests to trigger this vulnerability. | ||||
| CVE-2023-41646 | 1 Perrymitchell | 1 Buttercup | 2024-09-26 | 5.3 Medium |
| Buttercup v2.20.3 allows attackers to obtain the hash of the master password for the password manager via accessing the file /vaults.json/ | ||||
| CVE-2023-32271 | 1 Openautomationsoftware | 1 Oas Platform | 2024-09-26 | 6.5 Medium |
| An information disclosure vulnerability exists in the OAS Engine configuration management functionality of Open Automation Software OAS Platform v18.00.0072. A specially crafted series of network requests can lead to a disclosure of sensitive information. An attacker can send a sequence of requests to trigger this vulnerability. | ||||
| CVE-2023-34994 | 1 Openautomationsoftware | 1 Oas Platform | 2024-09-26 | 3.1 Low |
| An improper resource allocation vulnerability exists in the OAS Engine configuration management functionality of Open Automation Software OAS Platform v18.00.0072. A specially crafted series of network requests can lead to creation of an arbitrary directory. An attacker can send a sequence of requests to trigger this vulnerability. | ||||
| CVE-2023-34357 | 1 Scshr | 1 Hr Portal | 2024-09-26 | 7.8 High |
| Soar Cloud Ltd. HR Portal has a weak Password Recovery Mechanism for Forgotten Password. The reset password link sent out through e-mail, and the link will remain valid after the password has been reset and after the expected expiration date. An attacker with access to the browser history or has the line can thus use the URL again to change the password in order to take over the account. | ||||
| CVE-2023-34317 | 1 Openautomationsoftware | 1 Oas Platform | 2024-09-26 | 6.5 Medium |
| An improper input validation vulnerability exists in the OAS Engine User Creation functionality of Open Automation Software OAS Platform v18.00.0072. A specially crafted series of network requests can lead to unexpected data in the configuration. An attacker can send a sequence of requests to trigger this vulnerability. | ||||
| CVE-2023-32615 | 1 Openautomationsoftware | 1 Oas Platform | 2024-09-26 | 6.5 Medium |
| A file write vulnerability exists in the OAS Engine configuration functionality of Open Automation Software OAS Platform v18.00.0072. A specially crafted series of network requests can lead to arbitrary file creation or overwrite. An attacker can send a sequence of requests to trigger this vulnerability. | ||||
| CVE-2023-41946 | 1 Jenkins | 1 Frugal Testing | 2024-09-26 | 3.5 Low |
| A cross-site request forgery (CSRF) vulnerability in Jenkins Frugal Testing Plugin 1.1 and earlier allows attackers to connect to Frugal Testing using attacker-specified credentials, and to retrieve test IDs and names from Frugal Testing, if a valid credential corresponds to the attacker-specified username. | ||||
| CVE-2023-41150 | 1 F-revocrm | 1 F-revocrm | 2024-09-26 | 5.4 Medium |
| F-RevoCRM 7.3 series prior to version7.3.8 contains a cross-site scripting vulnerability. If this vulnerability is exploited, an arbitrary script may be executed on the web browser of the user who is using the product. | ||||
| CVE-2024-8731 | 1 Leira | 1 Cron Jobs | 2024-09-26 | 6.1 Medium |
| The Cron Jobs plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 1.2.9. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | ||||
| CVE-2023-39514 | 2 Cacti, Fedoraproject | 2 Cacti, Fedora | 2024-09-26 | 6.1 Medium |
| Cacti is an open source operational monitoring and fault management framework. Affected versions are subject to a Stored Cross-Site-Scripting (XSS) Vulnerability which allows an authenticated user to poison data stored in the _cacti_'s database. These data will be viewed by administrative _cacti_ accounts and execute JavaScript code in the victim's browser at view-time. The script under `graphs.php` displays graph details such as data-source paths, data template information and graph related fields. _CENSUS_ found that an adversary that is able to configure either a data-source template with malicious code appended in the data-source name or a device with a malicious payload injected in the device name, may deploy a stored XSS attack against any user with _General Administration>Graphs_ privileges. A user that possesses the _Template Editor>Data Templates_ permissions can configure the data-source name in _cacti_. Please note that this may be a _low privileged_ user. This configuration occurs through `http://<HOST>/cacti/data_templates.php` by editing an existing or adding a new data template. If a template is linked to a graph then the formatted template name will be rendered in the graph's management page. A user that possesses the _General Administration>Sites/Devices/Data_ permissions can configure the device name in _cacti_. This vulnerability has been addressed in version 1.2.25. Users are advised to upgrade. Users unable to upgrade should add manual HTML escaping. | ||||