ReportizFlow
Filtered by vendor
Subscriptions
Total
4938 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-40221 | 1 Socomec | 2 Modulys Gp, Modulys Gp Firmware | 2024-11-21 | 8.8 High |
| The absence of filters when loading some sections in the web application of the vulnerable device allows potential attackers to inject malicious code that will be interpreted when a legitimate user accesses the web section (MAIL SERVER) where the information is displayed. Injection can be done on parameter MAIL_RCV. When a legitimate user attempts to review NOTIFICATION/MAIL SERVER, the injected code will be executed. | ||||
| CVE-2023-40177 | 1 Xwiki | 1 Xwiki | 2024-11-21 | 9.9 Critical |
| XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any registered user can use the content field of their user profile page to execute arbitrary scripts with programming rights, thus effectively performing rights escalation. This issue is present since version 4.3M2 when AppWithinMinutes Application added support for the Content field, allowing any wiki page (including the user profile page) to use its content as an AWM Content field, which has a custom displayer that executes the content with the rights of the ``AppWithinMinutes.Content`` author, rather than the rights of the content author. The vulnerability has been fixed in XWiki 14.10.5 and 15.1RC1. The fix is in the content of the AppWithinMinutes.Content page that defines the custom displayer. By using the ``display`` script service to render the content we make sure that the proper author is used for access rights checks. | ||||
| CVE-2023-40050 | 1 Chef | 1 Automate | 2024-11-21 | 9.9 Critical |
| Upload profile either through API or user interface in Chef Automate prior to and including version 4.10.29 using InSpec check command with maliciously crafted profile allows remote code execution. | ||||
| CVE-2023-3665 | 1 Trellix | 1 Endpoint Security | 2024-11-21 | 5.5 Medium |
| A code injection vulnerability in Trellix ENS 10.7.0 April 2023 release and earlier, allowed a local user to disable the ENS AMSI component via environment variables, leading to denial of service and or the execution of arbitrary code. | ||||
| CVE-2023-3656 | 1 Cashit | 1 Cashit\! | 2024-11-21 | 9.8 Critical |
| cashIT! - serving solutions. Devices from "PoS/ Dienstleistung, Entwicklung & Vertrieb GmbH" to 03.A06rks 2023.02.37 are affected by an unauthenticated remote code execution vulnerability. This vulnerability can be triggered by an HTTP endpoint exposed to the network. | ||||
| CVE-2023-3551 | 1 Teampass | 1 Teampass | 2024-11-21 | 7.2 High |
| Code Injection in GitHub repository nilsteampassnet/teampass prior to 3.0.10. | ||||
| CVE-2023-3393 | 1 Fossbilling | 1 Fossbilling | 2024-11-21 | 7.2 High |
| Code Injection in GitHub repository fossbilling/fossbilling prior to 0.5.1. | ||||
| CVE-2023-39956 | 1 Electronjs | 1 Electron | 2024-11-21 | 6.1 Medium |
| Electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS. Electron apps that are launched as command line executables are impacted. Specifically this issue can only be exploited if the following conditions are met: 1. The app is launched with an attacker-controlled working directory and 2. The attacker has the ability to write files to that working directory. This makes the risk quite low, in fact normally issues of this kind are considered outside of our threat model as similar to Chromium we exclude Physically Local Attacks but given the ability for this issue to bypass certain protections like ASAR Integrity it is being treated with higher importance. This issue has been fixed in versions:`26.0.0-beta.13`, `25.4.1`, `24.7.1`, `23.3.13`, and `22.3.19`. There are no app side workarounds, users must update to a patched version of Electron. | ||||
| CVE-2023-39685 | 1 Hjson | 1 Hjson | 2024-11-21 | 7.5 High |
| An issue in hjson-java up to v3.0.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted JSON string. | ||||
| CVE-2023-39681 | 1 Cuppacms | 1 Cuppacms | 2024-11-21 | 9.8 Critical |
| Cuppa CMS v1.0 was discovered to contain a remote code execution (RCE) vulnerability via the email_outgoing parameter at /Configuration.php. This vulnerability is triggered via a crafted payload. | ||||
| CVE-2023-39660 | 1 Gabrieleventuri | 1 Pandasai | 2024-11-21 | 9.8 Critical |
| An issue in Gaberiele Venturi pandasai v.0.8.0 and before allows a remote attacker to execute arbitrary code via a crafted request to the prompt function. | ||||
| CVE-2023-39631 | 1 Langchain | 1 Langchain | 2024-11-21 | 9.8 Critical |
| An issue in LanChain-ai Langchain v.0.0.245 allows a remote attacker to execute arbitrary code via the evaluate function in the numexpr library. | ||||
| CVE-2023-39445 | 2 Elecom, Logitec | 15 Wrc-1467ghbk-a, Wrc-1467ghbk-a Firmware, Wrc-1467ghbk-s and 12 more | 2024-11-21 | 8.8 High |
| Hidden functionality vulnerability in LAN-WH300N/RE all versions provided by LOGITEC CORPORATION allows an unauthenticated attacker to execute arbitrary code by sending a specially crafted file to the product's certain management console. | ||||
| CVE-2023-39157 | 1 Crocoblock | 1 Jetelements | 2024-11-21 | 9 Critical |
| Improper Control of Generation of Code ('Code Injection') vulnerability in Crocoblock JetElements For Elementor.This issue affects JetElements For Elementor: from n/a through 2.6.10. | ||||
| CVE-2023-39059 | 1 Ansible-semaphore | 1 Ansible Semaphore | 2024-11-21 | 8.8 High |
| An issue in ansible semaphore v.2.8.90 allows a remote attacker to execute arbitrary code via a crafted payload to the extra variables parameter. | ||||
| CVE-2023-39023 | 1 University Compass Project | 1 University Compass | 2024-11-21 | 9.8 Critical |
| university compass v2.2.0 and below was discovered to contain a code injection vulnerability in the component org.compass.core.executor.DefaultExecutorManager.configure. This vulnerability is exploited via passing an unchecked argument. | ||||
| CVE-2023-39022 | 1 Oscore | 1 Oscore | 2024-11-21 | 9.8 Critical |
| oscore v2.2.6 and below was discovered to contain a code injection vulnerability in the component com.opensymphony.util.EJBUtils.createStateless. This vulnerability is exploited via passing an unchecked argument. | ||||
| CVE-2023-39021 | 1 Wix | 1 Wix Embedded Mysql | 2024-11-21 | 9.8 Critical |
| wix-embedded-mysql v4.6.1 and below was discovered to contain a code injection vulnerability in the component com.wix.mysql.distribution.Setup.apply. This vulnerability is exploited via passing an unchecked argument. | ||||
| CVE-2023-39020 | 1 Stanford | 1 Stanford Parser | 2024-11-21 | 9.8 Critical |
| stanford-parser v3.9.2 and below was discovered to contain a code injection vulnerability in the component edu.stanford.nlp.io.getBZip2PipedInputStream. This vulnerability is exploited via passing an unchecked argument. | ||||
| CVE-2023-39017 | 1 Softwareag | 1 Quartz | 2024-11-21 | 9.8 Critical |
| quartz-jobs 2.3.2 and below was discovered to contain a code injection vulnerability in the component org.quartz.jobs.ee.jms.SendQueueMessageJob.execute. This vulnerability is exploited via passing an unchecked argument. NOTE: this is disputed by multiple parties because it is not plausible that untrusted user input would reach the code location where injection must occur. | ||||