‼ CVE-2023-25162 ‼
📖 Read
via "National Vulnerability Database".
Nextcloud Server is the file server software for Nextcloud, a self-hosted productivity platform. Nextcloud Server prior to 24.0.8 and 23.0.12 and Nextcloud Enterprise server prior to 24.0.8 and 23.0.12 are vulnerable to server-side request forgery (SSRF). Attackers can leverage enclosed alphanumeric payloads to bypass IP filters and gain SSRF, which would allow an attacker to read crucial metadata if the server is hosted on the AWS platform. Nextcloud Server 24.0.8 and 23.0.2 and Nextcloud Enterprise Server 24.0.8 and 23.0.12 contain a patch for this issue. No known workarounds are available.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-0818 ‼
📖 Read
via "National Vulnerability Database".
Off-by-one Error in GitHub repository gpac/gpac prior to v2.3.0-DEV.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-24647 ‼
📖 Read
via "National Vulnerability Database".
Food Ordering System v2.0 was discovered to contain a SQL injection vulnerability via the email parameter.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-0817 ‼
📖 Read
via "National Vulnerability Database".
Buffer Over-read in GitHub repository gpac/gpac prior to v2.3.0-DEV.📖 Read
via "National Vulnerability Database".
‼ CVE-2015-10079 ‼
📖 Read
via "National Vulnerability Database".
A vulnerability was found in juju2143 WalrusIRC 0.0.2. It has been rated as problematic. This issue affects the function parseLinks of the file public/parser.js. The manipulation of the argument text leads to cross site scripting. The attack may be initiated remotely. Upgrading to version 0.0.3 is able to address this issue. The name of the patch is 45fd885895ae13e8d9b3a71e89d59768914f60af. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-220751.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-25160 ‼
📖 Read
via "National Vulnerability Database".
Nextcloud Mail is an email app for the Nextcloud home server platform. Prior to versions 2.2.1, 1.14.5, 1.12.9, and 1.11.8, an attacker can access the mail box by ID getting the subjects and the first characters of the emails. Users should upgrade to Mail 2.2.1 for Nextcloud 25, Mail 1.14.5 for Nextcloud 22-24, Mail 1.12.9 for Nextcloud 21, or Mail 1.11.8 for Nextcloud 20 to receive a patch. No known workarounds are available.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-25572 ‼
📖 Read
via "National Vulnerability Database".
react-admin is a frontend framework for building browser applications on top of REST/GraphQL APIs. react-admin prior to versions 3.19.12 and 4.7.6, along with ra-ui-materialui prior to 3.19.12 and 4.7.6, are vulnerable to cross-site scripting. All React applications built with react-admin and using the `<RichTextField>` are affected. `<RichTextField>` outputs the field value using `dangerouslySetInnerHTML` without client-side sanitization. If the data isn't sanitized server-side, this opens a possible cross-site scripting (XSS) attack. Versions 3.19.12 and 4.7.6 now use `DOMPurify` to escape the HTML before outputting it with React and `dangerouslySetInnerHTML`. Users who already sanitize HTML data server-side do not need to upgrade. As a workaround, users may replace the `<RichTextField>` by a custom field doing sanitization by hand.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-24646 ‼
📖 Read
via "National Vulnerability Database".
An arbitrary file upload vulnerability in the component /fos/admin/ajax.php of Food Ordering System v2.0 allows attackers to execute arbitrary code via a crafted PHP file.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-24648 ‼
📖 Read
via "National Vulnerability Database".
Zstore v6.6.0 was discovered to contain a cross-site scripting (XSS) vulnerability via the component /index.php.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-25241 ‼
📖 Read
via "National Vulnerability Database".
bgERP v22.31 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the Search parameter.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-4905 ‼
📖 Read
via "National Vulnerability Database".
A vulnerability was found in UDX Stateless Media Plugin 3.1.1. It has been declared as problematic. This vulnerability affects the function setup_wizard_interface of the file lib/classes/class-settings.php. The manipulation of the argument settings leads to cross site scripting. The attack can be initiated remotely. Upgrading to version 3.2.0 is able to address this issue. The name of the patch is 6aee7ae0b0beeb2232ce6e1c82aa7e2041ae151a. It is recommended to upgrade the affected component. VDB-220750 is the identifier assigned to this vulnerability.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-25161 ‼
📖 Read
via "National Vulnerability Database".
Nextcloud Server is the file server software for Nextcloud, a self-hosted productivity platform. Nextcloud Server and Nextcloud Enterprise Server prior to versions 25.0.1 24.0.8, and 23.0.12 missing rate limiting on password reset functionality. This could result in service slowdown, storage overflow, or cost impact when using external email services. Users should upgrade to Nextcloud Server 25.0.1, 24.0.8, or 23.0.12 or Nextcloud Enterprise Server 25.0.1, 24.0.8, or 23.0.12 to receive a patch. No known workarounds are available.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-24086 ‼
📖 Read
via "National Vulnerability Database".
SLIMS v9.5.2 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the component /customs/loan_by_class.php?reportView.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-25240 ‼
📖 Read
via "National Vulnerability Database".
An improper SameSite Attribute vulnerability in pimCore v10.5.15 allows attackers to execute arbitrary code.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-24084 ‼
📖 Read
via "National Vulnerability Database".
ChiKoi v1.0 was discovered to contain a SQL injection vulnerability via the load_file function.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-47034 ‼
📖 Read
via "National Vulnerability Database".
A type juggling vulnerability in the component /auth/fn.php of PlaySMS v1.4.5 and earlier allows attackers to bypass authentication.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-45962 ‼
📖 Read
via "National Vulnerability Database".
Open Solutions for Education, Inc openSIS Community Edition v8.0 and earlier is vulnerable to SQL Injection via CalendarModal.php.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-0819 ‼
📖 Read
via "National Vulnerability Database".
Heap-based Buffer Overflow in GitHub repository gpac/gpac prior to v2.3.0-DEV.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-22370 ‼
📖 Read
via "National Vulnerability Database".
** UNSUPPORTED WHEN ASSIGNED ** Stored cross-site scripting vulnerability in Wired/Wireless LAN Pan/Tilt Network Camera CS-WMV02G all versions allows a network-adjacent authenticated attacker to inject an arbitrary script. NOTE: This vulnerability only affects products that are no longer supported by the developer.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-0025 ‼
📖 Read
via "National Vulnerability Database".
SAP Solution Manager (BSP Application) - version 720, allows an authenticated attacker to craft a malicious link, which when clicked by an unsuspecting user, can be used to read or modify some sensitive information or craft a payload which may restrict access to the desired resources.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-24523 ‼
📖 Read
via "National Vulnerability Database".
An attacker authenticated as a non-admin user with local access to a server port assigned to the SAP Host Agent (Start Service) - versions 7.21, 7.22, can submit a crafted ConfigureOutsideDiscovery request with an operating system command which will be executed with administrator privileges. The OS command can read or modify any user or system data and can make the system unavailable.📖 Read
via "National Vulnerability Database".