Total
3676 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-36992 | 1 Travianz Project | 1 Travianz | 2024-11-21 | N/A | 7.2 HIGH |
| PHP injection in TravianZ 8.3.4 and 8.3.3 in the config editor in the admin page allows remote attackers to execute PHP code. | |||||
| CVE-2023-36923 | 1 Sap | 1 Powerdesigner | 2024-11-21 | N/A | 7.8 HIGH |
| SAP SQLA for PowerDesigner 17 bundled with SAP PowerDesigner 16.7 SP06 PL03, allows an attacker with local access to the system, to place a malicious library, that can be executed by the application. An attacker could thereby control the behavior of the application. | |||||
| CVE-2023-36859 | 1 Piigab | 2 M-bus 900s, M-bus 900s Firmware | 2024-11-21 | N/A | 8.8 HIGH |
| PiiGAB M-Bus SoftwarePack 900S does not correctly sanitize user input, which could allow an attacker to inject arbitrary commands. | |||||
| CVE-2023-36789 | 1 Microsoft | 1 Skype For Business Server | 2024-11-21 | N/A | 7.2 HIGH |
| Skype for Business Remote Code Execution Vulnerability | |||||
| CVE-2023-36645 | 2024-11-21 | N/A | 9.1 CRITICAL | ||
| SQL injection vulnerability in ITB-GmbH TradePro v9.5, allows remote attackers to run SQL queries via oordershow component in customer function. | |||||
| CVE-2023-36542 | 1 Apache | 1 Nifi | 2024-11-21 | N/A | 8.8 HIGH |
| Apache NiFi 0.0.2 through 1.22.0 include Processors and Controller Services that support HTTP URL references for retrieving drivers, which allows an authenticated and authorized user to configure a location that enables custom code execution. The resolution introduces a new Required Permission for referencing remote resources, restricting configuration of these components to privileged users. The permission prevents unprivileged users from configuring Processors and Controller Services annotated with the new Reference Remote Resources restriction. Upgrading to Apache NiFi 1.23.0 is the recommended mitigation. | |||||
| CVE-2023-36467 | 1 Amazon | 1 Aws-dataall | 2024-11-21 | N/A | 8.0 HIGH |
| AWS data.all is an open source development framework to help users build a data marketplace on Amazon Web Services. data.all versions 1.2.0 through 1.5.1 do not prevent remote code execution when a user injects Python commands into the ‘Template’ field when configuring a data pipeline. The issue can only be triggered by authenticated users. A fix for this issue is available in data.all version 1.5.2 and later. There is no recommended work around. | |||||
| CVE-2023-36437 | 1 Microsoft | 1 Azure Pipelines Agent | 2024-11-21 | N/A | 8.8 HIGH |
| Azure DevOps Server Remote Code Execution Vulnerability | |||||
| CVE-2023-36281 | 1 Langchain | 1 Langchain | 2024-11-21 | N/A | 9.8 CRITICAL |
| An issue in langchain v.0.0.171 allows a remote attacker to execute arbitrary code via a JSON file to load_prompt. This is related to __subclasses__ or a template. | |||||
| CVE-2023-36255 | 1 Eramba | 1 Eramba | 2024-11-21 | N/A | 8.8 HIGH |
| An issue in Eramba Limited Eramba Enterprise and Community edition v.3.19.1 allows a remote attacker to execute arbitrary code via the path parameter in the URL. | |||||
| CVE-2023-36177 | 1 Badaix | 1 Snapcast | 2024-11-21 | N/A | 9.8 CRITICAL |
| An issue was discovered in badaix Snapcast version 0.27.0, allows remote attackers to execute arbitrary code and gain sensitive information via crafted request in JSON-RPC-API. | |||||
| CVE-2023-36095 | 1 Langchain | 1 Langchain | 2024-11-21 | N/A | 9.8 CRITICAL |
| An issue in Harrison Chase langchain v.0.0.194 allows an attacker to execute arbitrary code via the python exec calls in the PALChain, affected functions include from_math_prompt and from_colored_object_prompt. | |||||
| CVE-2023-35926 | 1 Linuxfoundation | 1 Backstage | 2024-11-21 | N/A | 8.0 HIGH |
| Backstage is an open platform for building developer portals. The Backstage scaffolder-backend plugin uses a templating library that requires sandbox, as it by design allows for code injection. The library used for this sandbox so far has been `vm2`, but in light of several past vulnerabilities and existing vulnerabilities that may not have a fix, the plugin has switched to using a different sandbox library. A malicious actor with write access to a registered scaffolder template could manipulate the template in a way that allows for remote code execution on the scaffolder-backend instance. This was only exploitable in the template YAML definition itself and not by user input data. This is vulnerability is fixed in version 1.15.0 of `@backstage/plugin-scaffolder-backend`. | |||||
| CVE-2023-35701 | 2024-11-21 | N/A | 6.6 MEDIUM | ||
| Improper Control of Generation of Code ('Code Injection') vulnerability in Apache Hive. The vulnerability affects the Hive JDBC driver component and it can potentially lead to arbitrary code execution on the machine/endpoint that the JDBC driver (client) is running. The malicious user must have sufficient permissions to specify/edit JDBC URL(s) in an endpoint relying on the Hive JDBC driver and the JDBC client process must run under a privileged user to fully exploit the vulnerability. The attacker can setup a malicious HTTP server and specify a JDBC URL pointing towards this server. When a JDBC connection is attempted, the malicious HTTP server can provide a special response with customized payload that can trigger the execution of certain commands in the JDBC client.This issue affects Apache Hive: from 4.0.0-alpha-1 before 4.0.0. Users are recommended to upgrade to version 4.0.0, which fixes the issue. | |||||
| CVE-2023-35333 | 1 Microsoft | 1 Pandocupload | 2024-11-21 | N/A | 8.8 HIGH |
| MediaWiki PandocUpload Extension Remote Code Execution Vulnerability | |||||
| CVE-2023-35152 | 1 Xwiki | 1 Xwiki | 2024-11-21 | N/A | 9.9 CRITICAL |
| XWiki Platform is a generic wiki platform. Starting in version 12.9-rc-1 and prior to versions 14.4.8, 14.10.6, and 15.1, any logged in user can add dangerous content in their first name field and see it executed with programming rights. Leading to rights escalation. The vulnerability has been fixed on XWiki 14.4.8, 14.10.6, and 15.1. As a workaround, one may apply the patch manually. | |||||
| CVE-2023-35150 | 1 Xwiki | 1 Xwiki | 2024-11-21 | N/A | 9.9 CRITICAL |
| XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Starting in version 2.40m-2 and prior to versions 14.4.8, 14.10.4, and 15.0, any user with view rights on any document can execute code with programming rights, leading to remote code execution by crafting an url with a dangerous payload. The problem has been patched in XWiki 15.0, 14.10.4 and 14.4.8. | |||||
| CVE-2023-34842 | 1 Dedecms | 1 Dedecms | 2024-11-21 | N/A | 9.8 CRITICAL |
| Remote Code Execution vulnerability in DedeCMS through 5.7.109 allows remote attackers to run arbitrary code via crafted POST request to /dede/tpl.php. | |||||
| CVE-2023-34644 | 1 Ruijie | 130 Re-eg1000m, Re-eg1000m Firmware, Rg-eg1000c and 127 more | 2024-11-21 | N/A | 9.8 CRITICAL |
| Remote code execution vulnerability in Ruijie Networks Product: RG-EW series home routers and repeaters EW_3.0(1)B11P204, RG-NBS and RG-S1930 series switches SWITCH_3.0(1)B11P218, RG-EG series business VPN routers EG_3.0(1)B11P216, EAP and RAP series wireless access points AP_3.0(1)B11P218, NBC series wireless controllers AC_3.0(1)B11P86 allows unauthorized remote attackers to gain the highest privileges via crafted POST request to /cgi-bin/luci/api/auth. | |||||
| CVE-2023-34468 | 1 Apache | 1 Nifi | 2024-11-21 | N/A | 8.8 HIGH |
| The DBCPConnectionPool and HikariCPConnectionPool Controller Services in Apache NiFi 0.0.2 through 1.21.0 allow an authenticated and authorized user to configure a Database URL with the H2 driver that enables custom code execution. The resolution validates the Database URL and rejects H2 JDBC locations. You are recommended to upgrade to version 1.22.0 or later which fixes this issue. | |||||