Total
3677 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-31447 | 1 Draytek | 4 Vigor2620, Vigor2620 Firmware, Vigor2625 and 1 more | 2024-11-21 | N/A | 9.8 CRITICAL |
| user_login.cgi on Draytek Vigor2620 devices before 3.9.8.4 (and on all versions of Vigor2925 devices) allows attackers to send a crafted payload to modify the content of the code segment, insert shellcode, and execute arbitrary code. | |||||
| CVE-2023-31415 | 1 Elastic | 1 Kibana | 2024-11-21 | N/A | 8.8 HIGH |
| Kibana version 8.7.0 contains an arbitrary code execution flaw. An attacker with All privileges to the Uptime/Synthetics feature could send a request that will attempt to execute JavaScript code. This could lead to the attacker executing arbitrary commands on the host system with permissions of the Kibana process. | |||||
| CVE-2023-31414 | 1 Elastic | 1 Kibana | 2024-11-21 | N/A | 8.8 HIGH |
| Kibana versions 8.0.0 through 8.7.0 contain an arbitrary code execution flaw. An attacker with write access to Kibana yaml or env configuration could add a specific payload that will attempt to execute JavaScript code. This could lead to the attacker executing arbitrary commands on the host system with permissions of the Kibana process. | |||||
| CVE-2023-31315 | 2024-11-21 | N/A | 7.5 HIGH | ||
| Improper validation in a model specific register (MSR) could allow a malicious program with ring0 access to modify SMM configuration while SMI lock is enabled, potentially leading to arbitrary code execution. | |||||
| CVE-2023-31296 | 1 Sesami | 1 Cash Point \& Transport Optimizer | 2024-11-21 | N/A | 5.3 MEDIUM |
| CSV Injection vulnerability in Sesami Cash Point & Transport Optimizer (CPTO) version 6.3.8.6 (#718), allows attackers to obtain sensitive information via the User Name field. | |||||
| CVE-2023-30990 | 1 Ibm | 1 I | 2024-11-21 | N/A | 8.6 HIGH |
| IBM i 7.2, 7.3, 7.4, and 7.5 could allow a remote attacker to execute CL commands as QUSER, caused by an exploitation of DDM architecture. IBM X-Force ID: 254036. | |||||
| CVE-2023-30912 | 1 Hpe | 1 Oneview | 2024-11-21 | N/A | 7.2 HIGH |
| A remote code execution issue exists in HPE OneView. | |||||
| CVE-2023-30537 | 1 Xwiki | 1 Xwiki | 2024-11-21 | N/A | 9.9 CRITICAL |
| XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any user with the right to add an object on a page can execute arbitrary Groovy, Python or Velocity code in XWiki leading to full access to the XWiki installation. The root cause is improper escaping of the styles properties `FlamingoThemesCode.WebHome`. This page is installed by default. The vulnerability has been patched in XWiki versions 13.10.11, 14.4.7 and 14.10. | |||||
| CVE-2023-30179 | 1 Craftcms | 1 Craft Cms | 2024-11-21 | N/A | 7.2 HIGH |
| CraftCMS version 3.7.59 is vulnerable to Server-Side Template Injection (SSTI). An authenticated attacker can inject Twig Template to User Photo Location field when setting User Photo Location in User Settings, lead to Remote Code Execution. NOTE: the vendor disputes this because only Administrators can add this Twig code, and (by design) Administrators are allowed to do that by default. | |||||
| CVE-2023-30145 | 1 Tuzitio | 1 Camaleon Cms | 2024-11-21 | N/A | 9.8 CRITICAL |
| Camaleon CMS v2.7.0 was discovered to contain a Server-Side Template Injection (SSTI) vulnerability via the formats parameter. | |||||
| CVE-2023-30131 | 1 Ixpdata | 1 Easyinstall | 2024-11-21 | N/A | 9.8 CRITICAL |
| An issue discovered in IXP EasyInstall 6.6.14884.0 allows attackers to run arbitrary commands, gain escalated privilege, and cause other unspecified impacts via unauthenticated API calls. | |||||
| CVE-2023-30130 | 1 Craftcms | 1 Craft Cms | 2024-11-21 | N/A | 8.8 HIGH |
| An issue found in CraftCMS v.3.8.1 allows a remote attacker to execute arbitrary code via a crafted script to the Section parameter. | |||||
| CVE-2023-2943 | 1 Open-emr | 1 Openemr | 2024-11-21 | N/A | 8.8 HIGH |
| Code Injection in GitHub repository openemr/openemr prior to 7.0.1. | |||||
| CVE-2023-2928 | 1 Dedecms | 1 Dedecms | 2024-11-21 | 6.5 MEDIUM | 6.3 MEDIUM |
| A vulnerability was found in DedeCMS up to 5.7.106. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file uploads/dede/article_allowurl_edit.php. The manipulation of the argument allurls leads to code injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-230083. | |||||
| CVE-2023-2859 | 1 Teampass | 1 Teampass | 2024-11-21 | N/A | 8.8 HIGH |
| Code Injection in GitHub repository nilsteampassnet/teampass prior to 3.0.9. | |||||
| CVE-2023-2583 | 1 Jsreport | 1 Jsreport | 2024-11-21 | N/A | 10.0 CRITICAL |
| Code Injection in GitHub repository jsreport/jsreport prior to 3.11.3. | |||||
| CVE-2023-2359 | 1 Themepunch | 1 Slider Revolution | 2024-11-21 | N/A | 8.8 HIGH |
| The Slider Revolution WordPress plugin through 6.6.12 does not check for valid image files upon import, leading to an arbitrary file upload which may be escalated to Remote Code Execution in some server configurations. | |||||
| CVE-2023-2259 | 1 Alf | 1 Alf | 2024-11-21 | N/A | 7.2 HIGH |
| Improper Neutralization of Special Elements Used in a Template Engine in GitHub repository alfio-event/alf.io prior to 2.0-M4-2304. | |||||
| CVE-2023-2056 | 1 Dedecms | 1 Dedecms | 2024-11-21 | 6.5 MEDIUM | 6.3 MEDIUM |
| A vulnerability was found in DedeCMS up to 5.7.87 and classified as critical. This issue affects the function GetSystemFile of the file module_main.php. The manipulation leads to code injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-225941 was assigned to this vulnerability. | |||||
| CVE-2023-2017 | 1 Shopware | 1 Shopware | 2024-11-21 | N/A | 8.8 HIGH |
| Server-side Template Injection (SSTI) in Shopware 6 (<= v6.4.20.0, v6.5.0.0-rc1 <= v6.5.0.0-rc4), affecting both shopware/core and shopware/platform GitHub repositories, allows remote attackers with access to a Twig environment without the Sandbox extension to bypass the validation checks in `Shopware\Core\Framework\Adapter\Twig\SecurityExtension` and call any arbitrary PHP function and thus execute arbitrary code/commands via usage of fully-qualified names, supplied as array of strings, when referencing callables. Users are advised to upgrade to v6.4.20.1 to resolve this issue. This is a bypass of CVE-2023-22731. | |||||