Total
10666 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-20171 | 1 Cisco | 1 Identity Services Engine | 2023-11-07 | N/A | 6.5 MEDIUM |
| Multiple vulnerabilities in Cisco Identity Services Engine (ISE) could allow an authenticated attacker to delete or read arbitrary files on the underlying operating system. To exploit these vulnerabilities, an attacker must have valid credentials on an affected device. For more information about these vulnerabilities, see the Details section of this advisory. | |||||
| CVE-2023-20134 | 1 Cisco | 1 Webex Meetings | 2023-11-07 | N/A | 6.5 MEDIUM |
| Multiple vulnerabilities in the web interface of Cisco Webex Meetings could allow an authenticated, remote attacker to conduct a stored cross-site scripting (XSS) attack or upload arbitrary files as recordings. For more information about these vulnerabilities, see the Details section of this advisory. | |||||
| CVE-2023-20132 | 1 Cisco | 1 Webex Meetings | 2023-11-07 | N/A | 5.4 MEDIUM |
| Multiple vulnerabilities in the web interface of Cisco Webex Meetings could allow an authenticated, remote attacker to conduct a stored cross-site scripting (XSS) attack or upload arbitrary files as recordings. For more information about these vulnerabilities, see the Details section of this advisory. | |||||
| CVE-2023-20103 | 1 Cisco | 1 Secure Network Analytics | 2023-11-07 | N/A | 7.2 HIGH |
| A vulnerability in Cisco Secure Network Analytics could allow an authenticated, remote attacker to execute arbitrary code as a root user on an affected device. This vulnerability is due to insufficient validation of user input to the web interface. An attacker could exploit this vulnerability by uploading a crafted file to an affected device. A successful exploit could allow the attacker to execute code on the affected device. To exploit this vulnerability, an attacker would need to have valid Administrator credentials on the affected device. | |||||
| CVE-2023-20072 | 1 Cisco | 1 Ios Xe | 2023-11-07 | N/A | 8.6 HIGH |
| A vulnerability in the fragmentation handling code of tunnel protocol packets in Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause an affected system to reload, resulting in a denial of service (DoS) condition. This vulnerability is due to the improper handling of large fragmented tunnel protocol packets. One example of a tunnel protocol is Generic Routing Encapsulation (GRE). An attacker could exploit this vulnerability by sending crafted fragmented packets to an affected system. A successful exploit could allow the attacker to cause the affected system to reload, resulting in a DoS condition. Note: Only traffic directed to the affected system can be used to exploit this vulnerability. | |||||
| CVE-2023-1888 | 1 Wpwax | 1 Directorist | 2023-11-07 | N/A | 8.8 HIGH |
| The Directorist plugin for WordPress is vulnerable to an arbitrary user password reset in versions up to, and including, 7.5.4. This is due to a lack of validation checks within login.php. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to reset the password of an arbitrary user and gain elevated (e.g., administrator) privileges. | |||||
| CVE-2023-1250 | 1 Otrs | 1 Otrs | 2023-11-07 | N/A | 7.8 HIGH |
| Improper Input Validation vulnerability in OTRS AG OTRS (ACL modules), OTRS AG ((OTRS)) Community Edition (ACL modules) allows Local Execution of Code. When creating/importing an ACL it was possible to inject code that gets executed via manipulated comments and ACL-names This issue affects OTRS: from 7.0.X before 7.0.42, from 8.0.X before 8.0.31; ((OTRS)) Community Edition: from 6.0.1 through 6.0.34. | |||||
| CVE-2023-0869 | 1 Opennms | 2 Horizon, Meridian | 2023-11-07 | N/A | 6.1 MEDIUM |
| Cross-site scripting in outage/list.htm in multiple versions of OpenNMS Meridian and Horizon allows an attacker access to confidential session information. The solution is to upgrade to Meridian 2023.1.0 or newer, or Horizon 31.0.4 or newer. Meridian and Horizon installation instructions state that they are intended for installation within an organization's private networks and should not be directly accessible from the Internet. | |||||
| CVE-2023-0868 | 1 Opennms | 2 Horizon, Meridian | 2023-11-07 | N/A | 6.1 MEDIUM |
| Reflected cross-site scripting in graph results in multiple versions of OpenNMS Meridian and Horizon could allow an attacker access to steal session cookies. Users should upgrade to Meridian 2023.1.0 or newer, or Horizon 31.0.4. Meridian and Horizon installation instructions state that they are intended for installation within an organization's private networks and should not be directly accessible from the Internet. | |||||
| CVE-2023-0867 | 1 Opennms | 2 Horizon, Meridian | 2023-11-07 | N/A | 6.1 MEDIUM |
| Multiple stored and reflected cross-site scripting vulnerabilities in webapp jsp pages in multiple versions of OpenNMS Meridian and Horizon could allow an attacker access to confidential session information. Users should upgrade to Meridian 2023.1.0 or newer, or Horizon 31.0.4. Meridian and Horizon installation instructions state that they are intended for installation within an organization's private networks and should not be directly accessible from the Internet. | |||||
| CVE-2023-0751 | 1 Freebsd | 1 Freebsd | 2023-11-07 | N/A | 6.5 MEDIUM |
| When GELI reads a key file from standard input, it does not reuse the key file to initialize multiple providers at once resulting in the second and subsequent devices silently using a NULL key as the user key file. If a user only uses a key file without a user passphrase, the master key is encrypted with an empty key file allowing trivial recovery of the master key. | |||||
| CVE-2022-4428 | 1 Cloudflare | 1 Warp | 2023-11-07 | N/A | 8.0 HIGH |
| support_uri parameter in the WARP client local settings file (mdm.xml) lacked proper validation which allowed for privilege escalation and launching an arbitrary executable on the local machine upon clicking on the "Send feedback" option. An attacker with access to the local file system could use a crafted XML config file pointing to a malicious file or set a local path to the executable using Cloudflare Zero Trust Dashboard (for Zero Trust enrolled clients). | |||||
| CVE-2022-4033 | 1 Expresstech | 1 Quiz And Survey Master | 2023-11-07 | N/A | 5.3 MEDIUM |
| The Quiz and Survey Master plugin for WordPress is vulnerable to input validation bypass via the 'question[id]' parameter in versions up to, and including, 8.0.4 due to insufficient input validation that allows attackers to inject content other than the specified value (i.e. a number, file path, etc..). This makes it possible attackers to submit values other than the intended input type. | |||||
| CVE-2022-47924 | 1 Csaf-validator-lib Project | 1 Csaf-validator-lib | 2023-11-07 | N/A | 6.5 MEDIUM |
| An high privileged attacker may pass crafted arguments to the validate function of csaf-validator-lib of a locally installed Secvisogram in versions < 0.1.0 wich can result in arbitrary code execution and DoS once the users triggers the validation. | |||||
| CVE-2022-47917 | 1 Sewio | 1 Real-time Location System Studio | 2023-11-07 | N/A | 6.5 MEDIUM |
| Sewio’s Real-Time Location System (RTLS) Studio version 2.0.0 up to and including version 2.6.2 is vulnerable to improper input validation of user input to several modules and services of the software. This could allow an attacker to delete arbitrary files and cause a denial-of-service condition. | |||||
| CVE-2022-46363 | 1 Apache | 1 Cxf | 2023-11-07 | N/A | 7.5 HIGH |
| A vulnerability in Apache CXF before versions 3.5.5 and 3.4.10 allows an attacker to perform a remote directory listing or code exfiltration. The vulnerability only applies when the CXFServlet is configured with both the static-resources-list and redirect-query-check attributes. These attributes are not supposed to be used together, and so the vulnerability can only arise if the CXF service is misconfigured. | |||||
| CVE-2022-45088 | 1 Gruparge | 1 Smartpower Web | 2023-11-07 | N/A | 9.8 CRITICAL |
| Improper Input Validation vulnerability in Group Arge Energy and Control Systems Smartpower Web allows PHP Local File Inclusion.This issue affects Smartpower Web: before 23.01.01. | |||||
| CVE-2022-44756 | 1 Hcltechsw | 1 Bigfix Insights For Vulnerability Remediation | 2023-11-07 | N/A | 6.5 MEDIUM |
| Insights for Vulnerability Remediation (IVR) is vulnerable to improper input validation. This may lead to information disclosure. This requires privileged access. | |||||
| CVE-2022-44644 | 1 Apache | 1 Linkis | 2023-11-07 | N/A | 6.5 MEDIUM |
| In Apache Linkis <=1.3.0 when used with the MySQL Connector/J in the data source module, an authenticated attacker could read arbitrary local files by connecting a rogue MySQL server, By adding allowLoadLocalInfile to true in the JDBC parameter. Therefore, the parameters in the JDBC URL should be blacklisted. Versions of Apache Linkis <= 1.3.0 will be affected. We recommend users upgrade the version of Linkis to version 1.3.1 | |||||
| CVE-2022-44617 | 1 X.org | 1 Libxpm | 2023-11-07 | N/A | 7.5 HIGH |
| A flaw was found in libXpm. When processing a file with width of 0 and a very large height, some parser functions will be called repeatedly and can lead to an infinite loop, resulting in a Denial of Service in the application linked to the library. | |||||