βΌ CVE-2023-39816 βΌ
π Read
via "National Vulnerability Database".
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.π Read
via "National Vulnerability Database".
βΌ CVE-2023-5740 βΌ
π Read
via "National Vulnerability Database".
The Live Chat with Facebook Messenger plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'messenger' shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.π Read
via "National Vulnerability Database".
βΌ CVE-2023-5730 βΌ
π Read
via "National Vulnerability Database".
Memory safety bugs present in Firefox 118, Firefox ESR 115.3, and Thunderbird 115.3. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 119, Firefox ESR < 115.4, and Thunderbird < 115.4.1.π Read
via "National Vulnerability Database".
βΌ CVE-2023-27377 βΌ
π Read
via "National Vulnerability Database".
Missing authentication in the StudentPopupDetails_EmergencyContactDetails method in IDAttendΓ’β¬β’s IDWeb application 3.1.052 and earlier allows extraction of sensitive student data by unauthenticated attackers.π Read
via "National Vulnerability Database".
βΌ CVE-2023-46071 βΌ
π Read
via "National Vulnerability Database".
Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in ClickDatos ProtecciΓΒ³n de Datos RGPD plugin <=Γ 3.1.0 versions.π Read
via "National Vulnerability Database".
βΌ CVE-2023-45837 βΌ
π Read
via "National Vulnerability Database".
Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in XYDAC Ultimate Taxonomy Manager plugin <=Γ 2.0 versions.π Read
via "National Vulnerability Database".
βΌ CVE-2023-42850 βΌ
π Read
via "National Vulnerability Database".
The issue was addressed with improved permissions logic. This issue is fixed in macOS Sonoma 14.1. An app may be able to access sensitive user data.π Read
via "National Vulnerability Database".
βΌ CVE-2023-46118 βΌ
π Read
via "National Vulnerability Database".
RabbitMQ is a multi-protocol messaging and streaming broker. HTTP API did not enforce an HTTP request body limit, making it vulnerable for denial of service (DoS) attacks with very large messages. An authenticated user with sufficient credentials can publish a very large messages over the HTTP API and cause target node to be terminated by an "out-of-memory killer"-like mechanism. This vulnerability has been patched in versions 3.11.24 and 3.12.7.π Read
via "National Vulnerability Database".
βΌ CVE-2023-40404 βΌ
π Read
via "National Vulnerability Database".
A use-after-free issue was addressed with improved memory management. This issue is fixed in macOS Sonoma 14.1. An app may be able to execute arbitrary code with kernel privileges.π Read
via "National Vulnerability Database".
βΌ CVE-2023-39740 βΌ
π Read
via "National Vulnerability Database".
The leakage of the client secret in Onigiriya-musubee Line 13.6.1 allows attackers to obtain the channel access token and send crafted broadcast messages.π Read
via "National Vulnerability Database".
βΌ CVE-2023-46128 βΌ
π Read
via "National Vulnerability Database".
Nautobot is a Network Automation Platform built as a web application atop the Django Python framework with a PostgreSQL or MySQL database. In Nautobot 2.0.x, certain REST API endpoints, in combination with the `?depth=<N>` query parameter, can expose hashed user passwords as stored in the database to any authenticated user with access to these endpoints. The passwords are not exposed in plaintext. This vulnerability has been patched in version 2.0.3.π Read
via "National Vulnerability Database".
βΌ CVE-2023-41982 βΌ
π Read
via "National Vulnerability Database".
This issue was addressed by restricting options offered on a locked device. This issue is fixed in macOS Sonoma 14.1, watchOS 10.1, iOS 16.7.2 and iPadOS 16.7.2, iOS 17.1 and iPadOS 17.1. An attacker with physical access may be able to use Siri to access sensitive user data.π Read
via "National Vulnerability Database".
βΌ CVE-2023-37913 βΌ
π Read
via "National Vulnerability Database".
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Starting in version 3.5-milestone-1 and prior to versions 14.10.8 and 15.3-rc-1, triggering the office converter with a specially crafted file name allows writing the attachment's content to an attacker-controlled location on the server as long as the Java process has write access to that location. In particular in the combination with attachment moving, a feature introduced in XWiki 14.0, this is easy to reproduce but it also possible to reproduce in versions as old as XWiki 3.5 by uploading the attachment through the REST API which doesn't remove `/` or `\` from the filename. As the mime type of the attachment doesn't matter for the exploitation, this could e.g., be used to replace the `jar`-file of an extension which would allow executing arbitrary Java code and thus impact the confidentiality, integrity and availability of the XWiki installation. This vulnerability has been patched in XWiki 14.10.8 and 15.3RC1. There are no known workarounds apart from disabling the office converter.π Read
via "National Vulnerability Database".
βΌ CVE-2023-45829 βΌ
π Read
via "National Vulnerability Database".
Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in HappyBox Newsletter & Bulk Email Sender Γ’β¬β Email Newsletter Plugin for WordPress plugin <=Γ 2.0.1 versions.π Read
via "National Vulnerability Database".
βΌ CVE-2023-46070 βΌ
π Read
via "National Vulnerability Database".
Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Emmanuel GEORJON EG-Attachments plugin <=Γ 2.1.3 versions.π Read
via "National Vulnerability Database".
βΌ CVE-2023-45761 βΌ
π Read
via "National Vulnerability Database".
Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Joovii Sendle Shipping Plugin plugin <=Γ 5.13 versions.π Read
via "National Vulnerability Database".
βΌ CVE-2023-44794 βΌ
π Read
via "National Vulnerability Database".
An issue in Dromara SaToken version 1.36.0 and before allows a remote attacker to escalate privileges via a crafted payload to the URL.π Read
via "National Vulnerability Database".
βΌ CVE-2023-42494 βΌ
π Read
via "National Vulnerability Database".
EisBaer Scada - CWE-749: Exposed Dangerous Method or Functionπ Read
via "National Vulnerability Database".
βΌ CVE-2023-5085 βΌ
π Read
via "National Vulnerability Database".
The Advanced Menu Widget plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'advMenu' shortcode in versions up to, and including, 0.4.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.π Read
via "National Vulnerability Database".
βΌ CVE-2023-46151 βΌ
π Read
via "National Vulnerability Database".
Cross-Site Request Forgery (CSRF) vulnerability in AWESOME TOGI Product Category Tree plugin <=Γ 2.5 versions.π Read
via "National Vulnerability Database".
βΌ CVE-2023-5746 βΌ
π Read
via "National Vulnerability Database".
A vulnerability regarding use of externally-controlled format string is found in the cgi component. This allows remote attackers to execute arbitrary code via unspecified vectors. The following models with Synology Camera Firmware versions before 1.0.5-0185 may be affected: BC500 and TC500.π Read
via "National Vulnerability Database".