Search Results (37066 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2023-43645 1 Openfga 1 Openfga 2024-11-21 5.9 Medium
OpenFGA is an authorization/permission engine built for developers and inspired by Google Zanzibar. OpenFGA is vulnerable to a denial of service attack when certain Check calls are executed against authorization models that contain circular relationship definitions. When the call is made, it's possible for the server to exhaust resources and die. Users are advised to upgrade to v1.3.2 and update any offending models. There are no known workarounds for this vulnerability. Note that for models which contained cycles or a relation definition that has the relation itself in its evaluation path, checks and queries that require evaluation will no longer be evaluated on v1.3.2+ and will return errors instead. Users who do not have cyclic models are unaffected.
CVE-2023-43640 1 Speciesfilegroup 1 Taxonworks 2024-11-21 6.5 Medium
TaxonWorks is a web-based workbench designed for taxonomists and biodiversity scientists. Prior to version 0.34.0, a SQL injection vulnerability was found in TaxonWorks that allows authenticated attackers to extract arbitrary data from the TaxonWorks database (including the users table). This issue may lead to information disclosure. Version 0.34.0 contains a fix for the issue.
CVE-2023-43508 1 Arubanetworks 1 Clearpass Policy Manager 2024-11-21 6.3 Medium
Vulnerabilities in the web-based management interface of ClearPass Policy Manager allow an attacker with read-only privileges to perform actions that change the state of the ClearPass Policy Manager instance. Successful exploitation of these vulnerabilities allow an attacker to complete state-changing actions in the web-based management interface that should not be allowed by their current level of authorization on the platform.
CVE-2023-43507 1 Arubanetworks 1 Clearpass Policy Manager 2024-11-21 7.2 High
A vulnerability in the web-based management interface of ClearPass Policy Manager could allow an authenticated remote attacker to conduct SQL injection attacks against the ClearPass Policy Manager instance. An attacker could exploit this vulnerability to obtain and modify sensitive information in the underlying database potentially leading to complete compromise of the ClearPass Policy Manager cluster.
CVE-2023-43501 1 Jenkins 1 Build Failure Analyzer 2024-11-21 6.5 Medium
A missing permission check in Jenkins Build Failure Analyzer Plugin 2.4.1 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified hostname and port using attacker-specified username and password.
CVE-2023-43488 1 Boschrexroth 6 Ctrlx Hmi Web Panel Wr2107, Ctrlx Hmi Web Panel Wr2107 Firmware, Ctrlx Hmi Web Panel Wr2110 and 3 more 2024-11-21 7.9 High
The vulnerability allows a low privileged (untrusted) application to modify a critical system property that should be denied, in order to enable the ADB (Android Debug Bridge) protocol to be exposed on the network, exploiting it to gain a privileged shell on the device without requiring the physical access through USB.
CVE-2023-43470 1 Janobe 1 Online Voting System 2024-11-21 9.8 Critical
SQL injection vulnerability in janobe Online Voting System v.1.0 allows a remote attacker to execute arbitrary code via the checklogin.php component.
CVE-2023-43469 1 Online Job Portal Project 1 Online Job Portal 2024-11-21 9.8 Critical
SQL injection vulnerability in janobe Online Job Portal v.2020 allows a remote attacker to execute arbitrary code via the ForPass.php component.
CVE-2023-43468 1 Online Job Portal Project 1 Online Job Portal 2024-11-21 9.8 Critical
SQL injection vulnerability in janobe Online Job Portal v.2020 allows a remote attacker to execute arbitrary code via the login.php component.
CVE-2023-43381 1 Tianchoy 1 Blog 2024-11-21 7.5 High
SQL Injection vulnerability in Tianchoy Blog v.1.8.8 allows a remote attacker to obtain sensitive information via the id parameter in the login.php
CVE-2023-43377 1 Digitaldruid 1 Hoteldruid 2024-11-21 5.4 Medium
A cross-site scripting (XSS) vulnerability in /hoteldruid/visualizza_contratto.php of Hoteldruid v3.0.5 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the destinatario_email1 parameter.
CVE-2023-43375 1 Digitaldruid 1 Hoteldruid 2024-11-21 9.8 Critical
Hoteldruid v3.0.5 was discovered to contain multiple SQL injection vulnerabilities at /hoteldruid/clienti.php via the annonascita, annoscaddoc, giornonascita, giornoscaddoc, lingua_cli, mesenascita, and mesescaddoc parameters.
CVE-2023-43374 1 Digitaldruid 1 Hoteldruid 2024-11-21 9.8 Critical
Hoteldruid v3.0.5 was discovered to contain a SQL injection vulnerability via the id_utente_log parameter at /hoteldruid/personalizza.php.
CVE-2023-43373 1 Digitaldruid 1 Hoteldruid 2024-11-21 9.8 Critical
Hoteldruid v3.0.5 was discovered to contain a SQL injection vulnerability via the n_utente_agg parameter at /hoteldruid/interconnessioni.php.
CVE-2023-43371 1 Digitaldruid 1 Hoteldruid 2024-11-21 9.8 Critical
Hoteldruid v3.0.5 was discovered to contain a SQL injection vulnerability via the numcaselle parameter at /hoteldruid/creaprezzi.php.
CVE-2023-43274 1 Phpjabbers 1 Php Shopping Cart 2024-11-21 7.5 High
Phpjabbers PHP Shopping Cart 4.2 is vulnerable to SQL Injection via the id parameter.
CVE-2023-43194 1 Rcos 1 Submitty 2024-11-21 5.3 Medium
Submitty before v22.06.00 is vulnerable to Incorrect Access Control. An attacker can delete any post in the forum by modifying request parameter.
CVE-2023-43192 1 Jrecms 1 Springbootcms 2024-11-21 8.8 High
SQL injection can exist in a newly created part of the SpringbootCMS 1.0 background, and the parameters submitted by users are not filtered. As a result, special characters in parameters destroy the original logic of SQL statements. Attackers can use this vulnerability to execute any SQL statement.
CVE-2023-43154 1 Macs Cms Project 1 Macs Cms 2024-11-21 9.8 Critical
In Macrob7 Macs Framework Content Management System (CMS) 1.1.4f, loose comparison in "isValidLogin()" function during login attempt results in PHP type confusion vulnerability that leads to authentication bypass and takeover of the administrator account.
CVE-2023-43144 1 Projectworlds 1 Asset Management System Project In Php 2024-11-21 9.8 Critical
Projectworldsl Assets-management-system-in-php 1.0 is vulnerable to SQL Injection via the "id" parameter in delete.php.