Total
981 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-48205 | 1 Jorani | 1 Leave Management System | 2023-12-11 | N/A | 5.3 MEDIUM |
| Jorani Leave Management System 1.0.2 allows a remote attacker to spoof a Host header associated with password reset emails. | |||||
| CVE-2023-48835 | 1 Phpjabbers | 1 Car Rental Script | 2023-12-09 | N/A | 8.8 HIGH |
| Car Rental Script v3.0 is vulnerable to CSV Injection via a Language > Labels > Export action. | |||||
| CVE-2023-48830 | 1 Phpjabbers | 1 Shuttle Booking Software | 2023-12-09 | N/A | 8.8 HIGH |
| Shuttle Booking Software 2.0 is vulnerable to CSV Injection in the Languages section via an export. | |||||
| CVE-2023-48826 | 1 Phpjabbers | 1 Time Slots Booking Calendar | 2023-12-09 | N/A | 8.8 HIGH |
| Time Slots Booking Calendar 4.0 is vulnerable to CSV Injection via the unique ID field of the Reservations List. | |||||
| CVE-2023-48841 | 1 Phpjabbers | 1 Appointment Scheduler | 2023-12-09 | N/A | 8.8 HIGH |
| Appointment Scheduler 3.0 is vulnerable to CSV Injection via a Language > Labels > Export action. | |||||
| CVE-2020-12965 | 1 Amd | 126 Athlon 3050ge, Athlon 3050ge Firmware, Athlon 3150g and 123 more | 2023-12-06 | 5.0 MEDIUM | 7.5 HIGH |
| When combined with specific software sequences, AMD CPUs may transiently execute non-canonical loads and store using only the lower 48 address bits potentially resulting in data leakage. | |||||
| CVE-2023-35075 | 1 Mattermost | 1 Mattermost | 2023-11-30 | N/A | 5.4 MEDIUM |
| Mattermost fails to use innerText / textContent when setting the channel name in the webapp during autocomplete, allowing an attacker to inject HTML to a victim's page by create a channel name that is valid HTML. No XSS is possible though. | |||||
| CVE-2023-49214 | 1 Usedesk | 1 Usedesk | 2023-11-30 | N/A | 9.8 CRITICAL |
| Usedesk before 1.7.57 allows chat template injection. | |||||
| CVE-2022-3643 | 3 Broadcom, Debian, Linux | 3 Bcm5780, Debian Linux, Linux Kernel | 2023-11-29 | N/A | 6.5 MEDIUM |
| Guests can trigger NIC interface reset/abort/crash via netback It is possible for a guest to trigger a NIC interface reset/abort/crash in a Linux based network backend by sending certain kinds of packets. It appears to be an (unwritten?) assumption in the rest of the Linux network stack that packet protocol headers are all contained within the linear section of the SKB and some NICs behave badly if this is not the case. This has been reported to occur with Cisco (enic) and Broadcom NetXtrem II BCM5780 (bnx2x) though it may be an issue with other NICs/drivers as well. In case the frontend is sending requests with split headers, netback will forward those violating above mentioned assumption to the networking core, resulting in said misbehavior. | |||||
| CVE-2023-48199 | 1 Grocy Project | 1 Grocy | 2023-11-28 | N/A | 7.8 HIGH |
| HTML Injection vulnerability in the 'manageApiKeys' component in Grocy <= 4.0.3 allows attackers to inject arbitrary HTML content without script execution. This occurs when user-supplied data is not appropriately sanitized, enabling the injection of HTML tags through parameter values. The attacker can then manipulate page content in the QR code detail popup, often coupled with social engineering tactics, exploiting both the trust of users and the application's lack of proper input handling. | |||||
| CVE-2023-5340 | 1 Fivestarplugins | 1 Five Star Restaurant Menu | 2023-11-27 | N/A | 9.8 CRITICAL |
| The Five Star Restaurant Menu and Food Ordering WordPress plugin before 2.4.11 unserializes user input via an AJAX action available to unauthenticated users, allowing them to perform PHP Object Injection when a suitable gadget is present on the blog. | |||||
| CVE-2023-29405 | 2 Fedoraproject, Golang | 2 Fedora, Go | 2023-11-25 | N/A | 9.8 CRITICAL |
| The go command may execute arbitrary code at build time when using cgo. This may occur when running "go get" on a malicious module, or when running any other command which builds untrusted code. This is can by triggered by linker flags, specified via a "#cgo LDFLAGS" directive. Flags containing embedded spaces are mishandled, allowing disallowed flags to be smuggled through the LDFLAGS sanitization by including them in the argument of another flag. This only affects usage of the gccgo compiler. | |||||
| CVE-2022-4188 | 1 Google | 2 Android, Chrome | 2023-11-25 | N/A | 4.3 MEDIUM |
| Insufficient validation of untrusted input in CORS in Google Chrome on Android prior to 108.0.5359.71 allowed a remote attacker to bypass same origin policy via a crafted HTML page. (Chromium security severity: Medium) | |||||
| CVE-2023-47119 | 1 Discourse | 1 Discourse | 2023-11-16 | N/A | 6.1 MEDIUM |
| Discourse is an open source platform for community discussion. Prior to version 3.1.3 of the `stable` branch and version 3.2.0.beta3 of the `beta` and `tests-passed` branches, some links can inject arbitrary HTML tags when rendered through our Onebox engine. The issue is patched in version 3.1.3 of the `stable` branch and version 3.2.0.beta3 of the `beta` and `tests-passed` branches. There are no known workarounds. | |||||
| CVE-2022-4170 | 2 Fedoraproject, Rxvt-unicode Project | 3 Extra Packages For Enterprise Linux, Fedora, Rxvt-unicode | 2023-11-14 | N/A | 9.8 CRITICAL |
| The rxvt-unicode package is vulnerable to a remote code execution, in the Perl background extension, when an attacker can control the data written to the user's terminal and certain options are set. | |||||
| CVE-2023-4767 | 1 Zohocorp | 1 Manageengine Desktop Central | 2023-11-13 | N/A | 6.1 MEDIUM |
| A CRLF injection vulnerability has been found in ManageEngine Desktop Central affecting version 9.1.0. This vulnerability could allow a remote attacker to inject arbitrary HTTP headers and perform HTTP response splitting attacks via the fileName parameter in /STATE_ID/1613157927228/InvSWMetering.csv. | |||||
| CVE-2023-4393 | 1 Liquidfiles | 1 Liquidfiles | 2023-11-08 | N/A | 6.1 MEDIUM |
| HTML and SMTP injections on the registration page of LiquidFiles versions 3.7.13 and below, allow an attacker to perform more advanced phishing attacks against an organization. | |||||
| CVE-2023-4197 | 1 Dolibarr | 1 Dolibarr Erp\/crm | 2023-11-08 | N/A | 8.8 HIGH |
| Improper input validation in Dolibarr ERP CRM <= v18.0.1 fails to strip certain PHP code from user-supplied input when creating a Website, allowing an attacker to inject and evaluate arbitrary PHP code. | |||||
| CVE-2023-4212 | 1 Trane | 8 Pivot, Pivot Firmware, Xl1050 and 5 more | 2023-11-07 | N/A | 6.8 MEDIUM |
| A command injection vulnerability exists in Trane XL824, XL850, XL1050, and Pivot thermostats allowing an attacker to execute arbitrary commands as root using a specially crafted filename. The vulnerability requires physical access to the device via a USB stick. | |||||
| CVE-2023-29400 | 1 Golang | 1 Go | 2023-11-07 | N/A | 7.3 HIGH |
| Templates containing actions in unquoted HTML attributes (e.g. "attr={{.}}") executed with empty input can result in output with unexpected results when parsed due to HTML normalization rules. This may allow injection of arbitrary attributes into tags. | |||||