Search Results (37024 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2023-26443 1 Open-xchange 1 Open-xchange Appsuite Backend 2024-11-21 5.5 Medium
Full-text autocomplete search allows user-provided SQL syntax to be injected to SQL statements. With existing sanitization in place, this can be abused to trigger benign SQL Exceptions but could potentially be escalated to a malicious SQL injection vulnerability. We now properly encode single quotes for SQL FULLTEXT queries. No publicly available exploits are known.
CVE-2023-26440 1 Open-xchange 1 Open-xchange Appsuite Office 2024-11-21 7.1 High
The cacheservice API could be abused to indirectly inject parameters with SQL syntax which was insufficiently sanitized and would later be executed when creating new cache groups. Attackers with access to a local or restricted network could perform arbitrary SQL queries. We have improved the input check for API calls and filter for potentially malicious content. No publicly available exploits are known.
CVE-2023-26439 1 Open-xchange 1 Open-xchange Appsuite Office 2024-11-21 7.6 High
The cacheservice API could be abused to inject parameters with SQL syntax which was insufficiently sanitized before getting executed as SQL statement. Attackers with access to a local or restricted network were able to perform arbitrary SQL queries, discovering other users cached data. We have improved the input check for API calls and filter for potentially malicious content. No publicly available exploits are known.
CVE-2023-26370 3 Adobe, Apple, Microsoft 5 Photoshop 2022, Photoshop 2023, Photoshop 2024 and 2 more 2024-11-21 7.8 High
Adobe Photoshop versions 23.5.5 (and earlier) and 24.7 (and earlier) are affected by an Access of Uninitialized Pointer vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
CVE-2023-26310 1 Oppo 2 Coloros, Find X3 2024-11-21 7.4 High
There is a command injection problem in the old version of the mobile phone backup app.
CVE-2023-26301 1 Hp 38 Color Laserjet Pro 4201-4203 4ra87f, Color Laserjet Pro 4201-4203 4ra87f Firmware, Color Laserjet Pro 4201-4203 4ra88f and 35 more 2024-11-21 9.8 Critical
Certain HP LaserJet Pro print products are potentially vulnerable to an Elevation of Privilege and/or Information Disclosure related to a lack of authentication with certain endpoints.
CVE-2023-26217 1 Tibco 1 Ebx Add-ons 2024-11-21 8.8 High
The Data Exchange Add-on component of TIBCO Software Inc.'s TIBCO EBX Add-ons contains an easily exploitable vulnerability that allows a low privileged user with import permissions and network access to the EBX server to execute arbitrary SQL statements on the affected system. Affected releases are TIBCO Software Inc.'s TIBCO EBX Add-ons: versions 4.5.17 and below, versions 5.6.2 and below, version 6.1.0.
CVE-2023-26151 1 Freeopcua 1 Opcua-asyncio 2024-11-21 5.3 Medium
Versions of the package asyncua before 0.9.96 are vulnerable to Denial of Service (DoS) such that an attacker can send a malformed packet and as a result, the server will enter into an infinite loop and consume excessive memory.
CVE-2023-26143 1 Blamer Project 1 Blamer 2024-11-21 6.5 Medium
Versions of the package blamer before 1.0.4 are vulnerable to Arbitrary Argument Injection via the blameByFile() API. The library does not sanitize for user input or validate the given file path conforms to a specific schema, nor does it properly pass command-line flags to the git binary using the double-dash POSIX characters (--) to communicate the end of options.
CVE-2023-25839 3 Apple, Esri, Microsoft 3 Macos, Arcgis Insights, Windows 2024-11-21 7 High
There is SQL injection vulnerability in Esri ArcGIS Insights Desktop for Mac and Windows version 2022.1 that may allow a local, authorized attacker to execute arbitrary SQL commands against the back-end database. The effort required to generate the crafted input required to exploit this issue is complex and requires significant effort before a successful attack can be expected.
CVE-2023-25838 1 Esri 1 Arcgis Insights 2024-11-21 7.5 High
There is SQL injection vulnerability in Esri ArcGIS Insights 2022.1 for ArcGIS Enterprise and that may allow a remote, authorized attacker to execute arbitrary SQL commands against the back-end database. The effort required to generate the crafted input required to exploit this issue is complex and requires significant effort before a successful attack can be expected.
CVE-2023-25799 1 Themeum 1 Tutor Lms 2024-11-21 8.3 High
Missing Authorization vulnerability in Themeum Tutor LMS.This issue affects Tutor LMS: from n/a through 2.1.8.
CVE-2023-25651 1 Zte 4 Mf286r, Mf286r Firmware, Mf833u1 and 1 more 2024-11-21 4.3 Medium
There is a SQL injection vulnerability in some ZTE mobile internet products. Due to insufficient input validation of SMS interface parameter, an authenticated attacker could use the vulnerability to execute SQL injection and cause information leak.
CVE-2023-25647 1 Zte 8 Axon 30, Axon 30 Firmware, Axon 40 Pro and 5 more 2024-11-21 4.7 Medium
There is a permission and access control vulnerability in some ZTE mobile phones. Due to improper access control, applications in mobile phone could monitor the touch event.
CVE-2023-25432 1 Online Reviewer Management System Project 1 Online Reviewer Management System 2024-11-21 7.2 High
An issue was discovered in Online Reviewer Management System v1.0. There is a SQL injection that can directly issue instructions to the background database system via reviewer_0/admins/assessments/course/course-update.php.
CVE-2023-25330 1 Mybatis 1 Mybatis 2024-11-21 9.8 Critical
A SQL injection vulnerability in Mybatis plus below 3.5.3.1 allows remote attackers to execute arbitrary SQL commands via the tenant ID valuer. NOTE: the vendor's position is that this can only occur in a misconfigured application; the documentation discusses how to develop applications that avoid SQL injection.
CVE-2023-25197 1 Apache 1 Fineract 2024-11-21 6.3 Medium
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Apache Software Foundation apache fineract. Authorized users may be able to exploit this for limited impact on components.   This issue affects apache fineract: from 1.4 through 1.8.2.
CVE-2023-25196 1 Apache 1 Fineract 2024-11-21 4.3 Medium
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Apache Software Foundation Apache Fineract. Authorized users may be able to change or add data in certain components.   This issue affects Apache Fineract: from 1.4 through 1.8.2.
CVE-2023-24726 1 Phpgurukul 1 Art Gallery Management System 2024-11-21 9.8 Critical
Art Gallery Management System v1.0 was discovered to contain a SQL injection vulnerability via the viewid parameter on the enquiry page.
CVE-2023-24674 1 Bludit 1 Bludit 2024-11-21 7.8 High
Permissions vulnerability found in Bludit CMS v.4.0.0 allows local attackers to escalate privileges via the role:admin parameter.