βΌ CVE-2023-44163 βΌ
π Read
via "National Vulnerability Database".
The 'search' parameter of the process_search.php resourcedoes not validate the characters received and theyare sent unfiltered to the database.π Read
via "National Vulnerability Database".
βΌ CVE-2023-44174 βΌ
π Read
via "National Vulnerability Database".
Online Movie Ticket Booking System v1.0 is vulnerable toan authenticated Stored Cross-Site Scripting vulnerability.π Read
via "National Vulnerability Database".
βΌ CVE-2023-43014 βΌ
π Read
via "National Vulnerability Database".
Asset Management System v1.0 is vulnerable toan Authenticated SQL Injection vulnerabilityon the 'first_name' and 'last_name' parametersof user.php page, allowing an authenticatedattacker to dump all the contents of the databasecontents.π Read
via "National Vulnerability Database".
βΌ CVE-2023-44164 βΌ
π Read
via "National Vulnerability Database".
The 'Email' parameter of the process_login.php resourcedoes not validate the characters received and theyare sent unfiltered to the database.π Read
via "National Vulnerability Database".
βΌ CVE-2023-43654 βΌ
π Read
via "National Vulnerability Database".
TorchServe is a tool for serving and scaling PyTorch models in production. TorchServe default configuration lacks proper input validation, enabling third parties to invoke remote HTTP download requests and write files to the disk. This issue could be taken advantage of to compromise the integrity of the system and sensitive data. This issue is present in versions 0.1.0 to 0.8.1. A user is able to load the model of their choice from any URL that they would like to use. The user of TorchServe is responsible for configuring both the allowed_urls and specifying the model URL to be used. A pull request to warn the user when the default value for allowed_urls is used has been merged in PR #2534. TorchServe release 0.8.2 includes this change. Users are advised to upgrade. There are no known workarounds for this issue.π Read
via "National Vulnerability Database".
βΌ CVE-2023-43739 βΌ
π Read
via "National Vulnerability Database".
The 'bookisbn' parameter of the cart.php resourcedoes not validate the characters received and theyare sent unfiltered to the database.π Read
via "National Vulnerability Database".
βΌ CVE-2023-44168 βΌ
π Read
via "National Vulnerability Database".
The 'phone' parameter of the process_registration.php resourcedoes not validate the characters received and theyare sent unfiltered to the database.π Read
via "National Vulnerability Database".
βΌ CVE-2023-43662 βΌ
π Read
via "National Vulnerability Database".
ShokoServer is a media server which specializes in organizing anime. In affected versions the `/api/Image/WithPath` endpoint is accessible without authentication and is supposed to return default server images. The endpoint accepts the parameter `serverImagePath`, which is not sanitized in any way before being passed to `System.IO.File.OpenRead`, which results in an arbitrary file read. This issue may lead to an arbitrary file read which is exacerbated in the windows installer which installs the ShokoServer as administrator. Any unauthenticated attacker may be able to access sensitive information and read files stored on the server. The `/api/Image/WithPath` endpoint has been removed in commit `6c57ba0f0` which will be included in subsequent releases. Users should limit access to the `/api/Image/WithPath` endpoint or manually patch their installations until a patched release is made. This issue was discovered by the GitHub Security lab and is also indexed as GHSL-2023-191.π Read
via "National Vulnerability Database".
βΌ CVE-2023-44165 βΌ
π Read
via "National Vulnerability Database".
The 'Password' parameter of the process_login.php resourcedoes not validate the characters received and theyare sent unfiltered to the database.π Read
via "National Vulnerability Database".
βΌ CVE-2023-44166 βΌ
π Read
via "National Vulnerability Database".
The 'age' parameter of the process_registration.php resourcedoes not validate the characters received and theyare sent unfiltered to the database.π Read
via "National Vulnerability Database".
βΌ CVE-2023-44167 βΌ
π Read
via "National Vulnerability Database".
The 'name' parameter of the process_registration.php resourcedoes not validate the characters received and theyare sent unfiltered to the database.π Read
via "National Vulnerability Database".
βΌ CVE-2023-4532 βΌ
π Read
via "National Vulnerability Database".
An issue has been discovered in GitLab affecting all versions starting from 16.2 before 16.2.8, all versions starting from 16.3 before 16.3.5, all versions starting from 16.4 before 16.4.1. Users were capable of linking CI/CD jobs of private projects which they are not a member of.π Read
via "National Vulnerability Database".
βΌ CVE-2023-2233 βΌ
π Read
via "National Vulnerability Database".
An improper authorization issue has been discovered in GitLab CE/EE affecting all versions starting from 11.8 before 16.2.8, all versions starting from 16.3 before 16.3.5 and all versions starting from 16.4 before 16.4.1. It allows a project reporter to leak the owner's Sentry instance projects.π Read
via "National Vulnerability Database".
π1
βΌ CVE-2023-3906 βΌ
π Read
via "National Vulnerability Database".
An input validation issue in the asset proxy in GitLab EE, affecting all versions from 12.3 prior to 16.2.8, 16.3 prior to 16.3.5, and 16.4 prior to 16.4.1, allowed an authenticated attacker to craft image urls which bypass the asset proxy.π Read
via "National Vulnerability Database".
βΌ CVE-2023-44464 βΌ
π Read
via "National Vulnerability Database".
pretix before 2023.7.2 allows Pillow to parse EPS files.π Read
via "National Vulnerability Database".
βΌ CVE-2023-3922 βΌ
π Read
via "National Vulnerability Database".
An issue has been discovered in GitLab affecting all versions starting from 8.15 before 16.2.8, all versions starting from 16.3 before 16.3.5, all versions starting from 16.4 before 16.4.1. It was possible to hijack some links and buttons on the GitLab UI to a malicious page.π Read
via "National Vulnerability Database".
βΌ CVE-2023-0989 βΌ
π Read
via "National Vulnerability Database".
An information disclosure issue in GitLab CE/EE affecting all versions prior to 16.2.8, 16.3 prior to 16.3.5, and 16.4 prior to 16.4.1 allows an attacker to extract non-protected CI/CD variables by tricking a user to visit a fork with a malicious CI/CD configuration.π Read
via "National Vulnerability Database".
βΌ CVE-2023-3914 βΌ
π Read
via "National Vulnerability Database".
A business logic error in GitLab EE affecting all versions prior to 16.2.8, 16.3 prior to 16.3.5, and 16.4 prior to 16.4.1 allows access to internal projects. A service account is not deleted when a namespace is deleted, allowing access to internal projects.π Read
via "National Vulnerability Database".
βΌ CVE-2023-3979 βΌ
π Read
via "National Vulnerability Database".
An issue has been discovered in GitLab affecting all versions starting from 10.6 before 16.2.8, all versions starting from 16.3 before 16.3.5, all versions starting from 16.4 before 16.4.1. It was possible that upstream members to collaborate with you on your branch get permission to write to the merge requestΓ’β¬β’s source branch.π Read
via "National Vulnerability Database".
βΌ CVE-2023-5198 βΌ
π Read
via "National Vulnerability Database".
An issue has been discovered in GitLab affecting all versions prior to 16.2.7, all versions starting from 16.3 before 16.3.5, and all versions starting from 16.4 before 16.4.1. It was possible for a removed project member to write to protected branches using deploy keys.π Read
via "National Vulnerability Database".
βΌ CVE-2023-26147 βΌ
π Read
via "National Vulnerability Database".
All versions of the package ithewei/libhv are vulnerable to HTTP Response Splitting when untrusted user input is used to build headers values. An attacker can add the \r\n (carriage return line feeds) characters to end the HTTP response headers and inject malicious content, like for example additional headers or new response body, leading to a potential XSS vulnerability.π Read
via "National Vulnerability Database".