Total
11827 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-34448 | 1 Getgrav | 1 Grav | 2024-08-02 | 8.8 High |
| Grav is a flat-file content management system. Prior to version 1.7.42, the patch for CVE-2022-2073, a server-side template injection vulnerability in Grav leveraging the default `filter()` function, did not block other built-in functions exposed by Twig's Core Extension that could be used to invoke arbitrary unsafe functions, thereby allowing for remote code execution. A patch in version 1.74.2 overrides the built-in Twig `map()` and `reduce()` filter functions in `system/src/Grav/Common/Twig/Extension/GravExtension.php` to validate the argument passed to the filter in `$arrow`. | ||||
| CVE-2023-34390 | 1 Selinc | 2 Sel-451, Sel-451 Firmware | 2024-08-02 | 4.5 Medium |
| An input validation vulnerability in the Schweitzer Engineering Laboratories SEL-451 could allow a remote authenticated attacker to create a denial of service against the system and locking out services. See product Instruction Manual Appendix A dated 20230830 for more details. | ||||
| CVE-2023-34239 | 1 Gradio Project | 1 Gradio | 2024-08-02 | 7.3 High |
| Gradio is an open-source Python library that is used to build machine learning and data science. Due to a lack of path filtering Gradio does not properly restrict file access to users. Additionally Gradio does not properly restrict the what URLs are proxied. These issues have been addressed in version 3.34.0. Users are advised to upgrade. There are no known workarounds for this vulnerability. | ||||
| CVE-2023-34152 | 3 Fedoraproject, Imagemagick, Redhat | 4 Extra Packages For Enterprise Linux, Fedora, Imagemagick and 1 more | 2024-08-02 | 9.8 Critical |
| A vulnerability was found in ImageMagick. This security flaw cause a remote code execution vulnerability in OpenBlob with --enable-pipes configured. | ||||
| CVE-2023-34102 | 1 Avohq | 1 Avo | 2024-08-02 | 8.3 High |
| Avo is an open source ruby on rails admin panel creation framework. The polymorphic field type stores the classes to operate on when updating a record with user input, and does not validate them in the back end. This can lead to unexpected behavior, remote code execution, or application crashes when viewing a manipulated record. This issue has been addressed in commit `ec117882d` which is expected to be included in subsequent releases. Users are advised to limit access to untrusted users until a new release is made. | ||||
| CVE-2023-34111 | 1 Tdengine | 1 Grafana | 2024-08-02 | 8.1 High |
| The `Release PR Merged` workflow in the github repo taosdata/grafanaplugin is subject to a command injection vulnerability which allows for arbitrary code execution within the github action context due to the insecure usage of `${{ github.event.pull_request.title }}` in a bash command within the GitHub workflow. Attackers can inject malicious commands which will be executed by the workflow. This happens because `${{ github.event.pull_request.title }}` is directly passed to bash command on like 25 of the workflow. This may allow an attacker to gain access to secrets which the github action has access to or to otherwise make use of the compute resources. | ||||
| CVE-2023-33964 | 1 Multiversx | 1 Mx-chain-go | 2024-08-02 | 8.6 High |
| mx-chain-go is an implementation of the MultiversX blockchain protocol written in the Go language. Metachain cannot process a cross-shard miniblock. Prior to version 1.4.16, an invalid transaction with the wrong username on metachain is not treated correctly on the metachain transaction processor. This is strictly a processing issue that could have happened on MultiversX chain. If an error like this had occurred, the metachain would have stopped notarizing blocks from the shard chains. The resuming of notarization is possible only after applying a patched binary version. A patch in version 1.4.16 introduces `processIfTxErrorCrossShard` for the metachain transaction processor. There are no known workarounds for this issue. | ||||
| CVE-2023-33182 | 1 Nextcloud | 1 Contacts | 2024-08-02 | 0 Low |
| Contacts app for Nextcloud easily syncs contacts from various devices with your Nextcloud and allows editing. The unsanitized SVG is converted to a JavaScript blob (in memory data) that the Avatar can't render. Due to this constellation the missing sanitization does not seem to be exploitable. It is recommended that the Contacts app is upgraded to 5.0.3 or 4.2.4 | ||||
| CVE-2023-33217 | 1 Idemia | 16 Morphowave Compact, Morphowave Compact Firmware, Morphowave Sp and 13 more | 2024-08-02 | 4.9 Medium |
| By abusing a design flaw in the firmware upgrade mechanism of the impacted terminal it's possible to cause a permanent denial of service for the terminal. the only way to recover the terminal is by sending back the terminal to the manufacturer | ||||
| CVE-2023-33103 | 2024-08-02 | 7.5 High | ||
| Transient DOS while processing CAG info IE received from NW. | ||||
| CVE-2023-33100 | 2024-08-02 | 7.5 High | ||
| Transient DOS while processing DL NAS Transport message when message ID is not defined in the 3GPP specification. | ||||
| CVE-2023-33099 | 2024-08-02 | 7.5 High | ||
| Transient DOS while processing SMS container of non-standard size received in DL NAS transport in NR. | ||||
| CVE-2023-33042 | 1 Qualcomm | 148 315 5g Iot Modem, 315 5g Iot Modem Firmware, Ar8035 and 145 more | 2024-08-02 | 7.5 High |
| Transient DOS in Modem after RRC Setup message is received. | ||||
| CVE-2023-33057 | 1 Qualcomm | 202 315 5g Iot Modem, 315 5g Iot Modem Firmware, Ar8035 and 199 more | 2024-08-02 | 7.5 High |
| Transient DOS in Multi-Mode Call Processor while processing UE policy container. | ||||
| CVE-2023-32890 | 1 Mediatek | 45 Lr13, Mt2735, Mt6779 and 42 more | 2024-08-02 | 7.5 High |
| In modem EMM, there is a possible system crash due to improper input validation. This could lead to remote denial of service with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: MOLY01183647; Issue ID: MOLY01183647 (MSV-963). | ||||
| CVE-2023-33014 | 1 Qualcomm | 74 Ar8035, Ar8035 Firmware, Fastconnect 6700 and 71 more | 2024-08-02 | 7.6 High |
| Information disclosure in Core services while processing a Diag command. | ||||
| CVE-2023-32727 | 1 Zabbix | 1 Zabbix Server | 2024-08-02 | 6.8 Medium |
| An attacker who has the privilege to configure Zabbix items can use function icmpping() with additional malicious command inside it to execute arbitrary code on the current Zabbix server. | ||||
| CVE-2023-32721 | 1 Zabbix | 1 Zabbix | 2024-08-02 | 7.6 High |
| A stored XSS has been found in the Zabbix web application in the Maps element if a URL field is set with spaces before URL. | ||||
| CVE-2023-32695 | 1 Socket | 1 Socket.io-parser | 2024-08-02 | 7.3 High |
| socket.io parser is a socket.io encoder and decoder written in JavaScript complying with version 5 of socket.io-protocol. A specially crafted Socket.IO packet can trigger an uncaught exception on the Socket.IO server, thus killing the Node.js process. A patch has been released in version 4.2.3. | ||||
| CVE-2023-32728 | 1 Zabbix | 1 Zabbix-agent2 | 2024-08-02 | 4.6 Medium |
| The Zabbix Agent 2 item key smart.disk.get does not sanitize its parameters before passing them to a shell command resulting possible vulnerability for remote code execution. | ||||