ReportizFlow
Filtered by vendor
Subscriptions
Total
4091 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-50379 | 2024-11-21 | 8.8 High | ||
| Malicious code injection in Apache Ambari in prior to 2.7.8. Users are recommended to upgrade to version 2.7.8, which fixes this issue. Impact: A Cluster Operator can manipulate the request by adding a malicious code injection and gain a root over the cluster main host. | ||||
| CVE-2023-50029 | 2024-11-21 | 10.0 Critical | ||
| PHP Injection vulnerability in the module "M4 PDF Extensions" (m4pdf) up to version 3.3.2 from PrestaAddons for PrestaShop allows attackers to run arbitrary code via the M4PDF::saveTemplate() method. | ||||
| CVE-2023-4977 | 1 Librenms | 1 Librenms | 2024-11-21 | 5.4 Medium |
| Code Injection in GitHub repository librenms/librenms prior to 23.9.0. | ||||
| CVE-2023-4291 | 1 Frauscher | 1 Frauscher Diagnostic System 101 | 2024-11-21 | 9.8 Critical |
| Frauscher Sensortechnik GmbH FDS101 for FAdC/FAdCi v1.4.24 and all previous versions are vulnerable to a remote code execution (RCE) vulnerability via manipulated parameters of the web interface without authentication. This could lead to a full compromise of the FDS101 device. | ||||
| CVE-2023-49830 | 1 Brainstormforce | 1 Astra | 2024-11-21 | 9.9 Critical |
| Improper Control of Generation of Code ('Code Injection') vulnerability in Brainstorm Force Astra Pro.This issue affects Astra Pro: from n/a through 4.3.1. | ||||
| CVE-2023-49391 | 1 Free5gc | 1 Free5gc | 2024-11-21 | 7.5 High |
| An issue was discovered in free5GC version 3.3.0, allows remote attackers to execute arbitrary code and cause a denial of service (DoS) on AMF component via crafted NGAP message. | ||||
| CVE-2023-49313 | 1 Horsicq | 1 Xmachoviewer | 2024-11-21 | 9.8 Critical |
| A dylib injection vulnerability in XMachOViewer 0.04 allows attackers to compromise integrity. By exploiting this, unauthorized code can be injected into the product's processes, potentially leading to remote control and unauthorized access to sensitive user data. | ||||
| CVE-2023-49109 | 2024-11-21 | 9.8 Critical | ||
| Exposure of Remote Code Execution in Apache Dolphinscheduler. This issue affects Apache DolphinScheduler: before 3.2.1. We recommend users to upgrade Apache DolphinScheduler to version 3.2.1, which fixes the issue. | ||||
| CVE-2023-49093 | 1 Htmlunit | 1 Htmlunit | 2024-11-21 | 9.8 Critical |
| HtmlUnit is a GUI-less browser for Java programs. HtmlUnit is vulnerable to Remote Code Execution (RCE) via XSTL, when browsing the attacker’s webpage. This vulnerability has been patched in version 3.9.0 | ||||
| CVE-2023-49070 | 1 Apache | 1 Ofbiz | 2024-11-21 | 9.8 Critical |
| Pre-auth RCE in Apache Ofbiz 18.12.09. It's due to XML-RPC no longer maintained still present. This issue affects Apache OFBiz: before 18.12.10. Users are recommended to upgrade to version 18.12.10 | ||||
| CVE-2023-49004 | 1 Dlink | 2 Dir-850l, Dir-850l Firmware | 2024-11-21 | 9.8 Critical |
| An issue in D-Link DIR-850L v.B1_FW223WWb01 allows a remote attacker to execute arbitrary code via a crafted script to the en parameter. | ||||
| CVE-2023-49001 | 1 Indibrowser | 1 Indi Browser | 2024-11-21 | 9.8 Critical |
| An issue in Indi Browser (aka kvbrowser) v.12.11.23 allows an attacker to bypass intended access restrictions via interaction with the com.example.gurry.kvbrowswer.webview component. | ||||
| CVE-2023-49000 | 1 Artistscope | 1 Artisbrowser | 2024-11-21 | 9.8 Critical |
| An issue in ArtistScope ArtisBrowser v.34.1.5 and before allows an attacker to bypass intended access restrictions via interaction with the com.artis.browser.IntentReceiverActivity component. NOTE: this is disputed by the vendor, who indicates that ArtisBrowser 34 does not support CSS3. | ||||
| CVE-2023-48699 | 1 Ubertidavide | 1 Fastbots | 2024-11-21 | 8.4 High |
| fastbots is a library for fast bot and scraper development using selenium and the Page Object Model (POM) design. Prior to version 0.1.5, an attacker could modify the locators.ini locator file with python code that without proper validation it's executed and it could lead to rce. The vulnerability is in the function `def __locator__(self, locator_name: str)` in `page.py`. In order to mitigate this issue, upgrade to fastbots version 0.1.5 or above. | ||||
| CVE-2023-48643 | 2024-11-21 | 9.8 Critical | ||
| Shrubbery tac_plus 2.x, 3.x. and 4.x through F4.0.4.28 allows unauthenticated Remote Command Execution. The product allows users to configure authorization checks as shell commands through the tac_plus.cfg configuration file. These are executed when a client sends an authorization request with a username that has pre-authorization directives configured. However, it is possible to inject additional commands into these checks because strings from TACACS+ packets are used as command-line arguments. If the installation lacks a a pre-shared secret (there is no pre-shared secret by default), then the injection can be triggered without authentication. (The attacker needs to know a username configured to use a pre-authorization command.) NOTE: this is related to CVE-2023-45239 but the issue is in the original Shrubbery product, not Meta's fork. | ||||
| CVE-2023-48390 | 1 Multisuns | 2 Easylog Web\+, Easylog Web\+ Firmware | 2024-11-21 | 9.8 Critical |
| Multisuns EasyLog web+ has a code injection vulnerability. An unauthenticated remote attacker can exploit this vulnerability to inject code and access the system to perform arbitrary system operations or disrupt service. | ||||
| CVE-2023-48226 | 1 Openreplay | 1 Openreplay | 2024-11-21 | 6.5 Medium |
| OpenReplay is a self-hosted session replay suite. In version 1.14.0, due to lack of validation Name field - Account Settings (for registration looks like validation is correct), a bad actor can send emails with HTML injected code to the victims. Bad actors can use this to phishing actions for example. Email is really send from OpenReplay, but bad actors can add there HTML code injected (content spoofing). Please notice that during Registration steps for FullName looks like is validated correct - can not type there, but using this kind of bypass/workaround - bad actors can achieve own goal. As of time of publication, no known fixes or workarounds are available. | ||||
| CVE-2023-48217 | 1 Statamic | 1 Statamic | 2024-11-21 | 8.8 High |
| Statamic is a flat-first, Laravel + Git powered CMS designed for building websites. In affected versions certain additional PHP files crafted to look like images may be uploaded regardless of mime type validation rules. This affects front-end forms using the "Forms" feature, and asset upload fields in the control panel. Malicious users could leverage this vulnerability to upload and execute code. This issue has been patched in versions 3.4.14 and 4.34.0. Users are advised to upgrade. There are no known workarounds for this vulnerability. | ||||
| CVE-2023-48192 | 1 Totolink | 2 A3700r, A3700r Firmware | 2024-11-21 | 7.8 High |
| An issue in TOTOlink A3700R v.9.1.2u.6134_B20201202 allows a local attacker to execute arbitrary code via the setTracerouteCfg function. | ||||
| CVE-2023-47883 | 1 Vladymix | 1 Tv Browser | 2024-11-21 | 9.8 Critical |
| The com.altamirano.fabricio.tvbrowser TV browser application through 4.5.1 for Android is vulnerable to JavaScript code execution via an explicit intent due to an exposed MainActivity. | ||||