ReportizFlow
Filtered by vendor
Subscriptions
Total
4091 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-46055 | 1 Thingnario | 1 Photon | 2024-11-21 | 8.8 High |
| An issue in ThingNario Photon v.1.0 allows a remote attacker to execute arbitrary code and escalate privileges via a crafted script to the ping function to the "thingnario Logger Maintenance Webpage" endpoint. | ||||
| CVE-2023-46042 | 1 Get-simple | 1 Getsimplecms | 2024-11-21 | 9.8 Critical |
| An issue in GetSimpleCMS v.3.4.0a allows a remote attacker to execute arbitrary code via a crafted payload to the phpinfo(). | ||||
| CVE-2023-46010 | 1 Seacms | 1 Seacms | 2024-11-21 | 9.8 Critical |
| An issue in SeaCMS v.12.9 allows an attacker to execute arbitrary commands via the admin_safe.php component. | ||||
| CVE-2023-45849 | 1 Perforce | 1 Helix Core | 2024-11-21 | 9 Critical |
| An arbitrary code execution which results in privilege escalation was discovered in Helix Core versions prior to 2023.2. Reported by Jason Geffner. | ||||
| CVE-2023-45751 | 1 Posimyth | 1 Nexter Extension | 2024-11-21 | 9.1 Critical |
| Improper Control of Generation of Code ('Code Injection') vulnerability in POSIMYTH Nexter Extension.This issue affects Nexter Extension: from n/a through 2.0.3. | ||||
| CVE-2023-45735 | 1 Westermo | 2 L206-f2g, L206-f2g Firmware | 2024-11-21 | 8 High |
| A potential attacker with access to the Westermo Lynx device may be able to execute malicious code that could affect the correct functioning of the device. | ||||
| CVE-2023-45673 | 1 Laurent 22 | 1 Joplin | 2024-11-21 | 8.9 High |
| Joplin is a free, open source note taking and to-do application. A remote code execution (RCE) vulnerability in affected versions allows clicking on a link in a PDF in an untrusted note to execute arbitrary shell commands. Clicking links in PDFs allows for arbitrary code execution because Joplin desktop: 1. has not disabled top redirection for note viewer iframes, and 2. and has node integration enabled. This is a remote code execution vulnerability that impacts anyone who attaches untrusted PDFs to notes and has the icon enabled. This issue has been addressed in version 2.13.3. Users are advised to upgrade. There are no known workarounds for this vulnerability. | ||||
| CVE-2023-45590 | 2024-11-21 | 9.4 Critical | ||
| An improper control of generation of code ('code injection') in Fortinet FortiClientLinux version 7.2.0, 7.0.6 through 7.0.10 and 7.0.3 through 7.0.4 allows attacker to execute unauthorized code or commands via tricking a FortiClientLinux user into visiting a malicious website | ||||
| CVE-2023-45560 | 1 Memberscard Project | 1 Memberscard | 2024-11-21 | 7.5 High |
| An issue in Yasukawa memberscard v.13.6.1 allows attackers to send crafted notifications via leakage of the channel access token. | ||||
| CVE-2023-45144 | 1 Xwiki | 1 Oauth Identity | 2024-11-21 | 10 Critical |
| com.xwiki.identity-oauth:identity-oauth-ui is a package to aid in building identity and service providers based on OAuth authorizations. When a user logs in via the OAuth method, the identityOAuth parameters sent in the GET request is vulnerable to cross site scripting (XSS) and XWiki syntax injection. This allows remote code execution via the groovy macro and thus affects the confidentiality, integrity and availability of the whole XWiki installation. The issue has been fixed in Identity OAuth version 1.6. There are no known workarounds for this vulnerability and users are advised to upgrade. | ||||
| CVE-2023-44857 | 1 Cobham | 1 Sailor Vsat Ku | 2024-11-21 | 8.1 High |
| An issue in Cobham SAILOR VSAT Ku v.164B019, allows a remote attacker to execute arbitrary code via a crafted script to the sub_21D24 function in the acu_web component. | ||||
| CVE-2023-44853 | 1 Cobham | 1 Sailor 600 Vsat Ku | 2024-11-21 | 4.8 Medium |
| \An issue was discovered in Cobham SAILOR VSAT Ku v.164B019, allows a remote attacker to execute arbitrary code via a crafted script to the sub_219C4 function in the acu_web file. | ||||
| CVE-2023-44847 | 1 Seacms | 1 Seacms | 2024-11-21 | 7.2 High |
| An issue in SeaCMS v.12.8 allows an attacker to execute arbitrary code via the admin_ Weixin.php component. | ||||
| CVE-2023-44846 | 1 Seacms | 1 Seacms | 2024-11-21 | 8.8 High |
| An issue in SeaCMS v.12.8 allows an attacker to execute arbitrary code via the admin_ notify.php component. | ||||
| CVE-2023-44392 | 1 Garden | 1 Garden | 2024-11-21 | 8.3 High |
| Garden provides automation for Kubernetes development and testing. Prior tov ersions 0.13.17 and 0.12.65, Garden has a dependency on the cryo library, which is vulnerable to code injection due to an insecure implementation of deserialization. Garden stores serialized objects using cryo in the Kubernetes `ConfigMap` resources prefixed with `test-result` and `run-result` to cache Garden test and run results. These `ConfigMaps` are stored either in the `garden-system` namespace or the configured user namespace. When a user invokes the command `garden test` or `garden run` objects stored in the `ConfigMap` are retrieved and deserialized. This can be used by an attacker with access to the Kubernetes cluster to store malicious objects in the `ConfigMap`, which can trigger a remote code execution on the users machine when cryo deserializes the object. In order to exploit this vulnerability, an attacker must have access to the Kubernetes cluster used to deploy garden remote environments. Further, a user must actively invoke either a `garden test` or `garden run` which has previously cached results. The issue has been patched in Garden versions `0.13.17` (Bonsai) and `0.12.65` (Acorn). Only Garden versions prior to these are vulnerable. No known workarounds are available. | ||||
| CVE-2023-44382 | 1 Octobercms | 1 October | 2024-11-21 | 9.1 Critical |
| October is a Content Management System (CMS) and web platform to assist with development workflow. An authenticated backend user with the `editor.cms_pages`, `editor.cms_layouts`, or `editor.cms_partials` permissions who would normally not be permitted to provide PHP code to be executed by the CMS due to `cms.safe_mode` being enabled can write specific Twig code to escape the Twig sandbox and execute arbitrary PHP. This issue has been patched in 3.4.15. | ||||
| CVE-2023-44381 | 1 Octobercms | 1 October | 2024-11-21 | 4.9 Medium |
| October is a Content Management System (CMS) and web platform to assist with development workflow. An authenticated backend user with the `editor.cms_pages`, `editor.cms_layouts`, or `editor.cms_partials` permissions who would normally not be permitted to provide PHP code to be executed by the CMS due to `cms.safe_mode` being enabled can craft a special request to include PHP code in the CMS template. This issue has been patched in version 3.4.15. | ||||
| CVE-2023-44141 | 1 Inkdrop | 1 Inkdrop | 2024-11-21 | 7.8 High |
| Inkdrop prior to v5.6.0 allows a local attacker to conduct a code injection attack by having a legitimate user open a specially crafted markdown file. | ||||
| CVE-2023-44011 | 1 Mojoportal | 1 Mojoportal | 2024-11-21 | 9.8 Critical |
| An issue in mojoPortal v.2.7.0.0 allows a remote attacker to execute arbitrary code via a crafted script to the layout.master skin file at the Skin management component. | ||||
| CVE-2023-43955 | 1 Fedirtsapana | 1 Tv Bro | 2024-11-21 | 9.8 Critical |
| The com.phlox.tvwebbrowser TV Bro application through 2.0.0 for Android mishandles external intents through WebView. This allows attackers to execute arbitrary code, create arbitrary files. and perform arbitrary downloads via JavaScript that uses takeBlobDownloadData. | ||||