Total
5260 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-48699 | 1 Ubertidavide | 1 Fastbots | 2024-11-21 | 8.4 High |
| fastbots is a library for fast bot and scraper development using selenium and the Page Object Model (POM) design. Prior to version 0.1.5, an attacker could modify the locators.ini locator file with python code that without proper validation it's executed and it could lead to rce. The vulnerability is in the function `def __locator__(self, locator_name: str)` in `page.py`. In order to mitigate this issue, upgrade to fastbots version 0.1.5 or above. | ||||
| CVE-2023-48390 | 1 Multisuns | 2 Easylog Web\+, Easylog Web\+ Firmware | 2024-11-21 | 9.8 Critical |
| Multisuns EasyLog web+ has a code injection vulnerability. An unauthenticated remote attacker can exploit this vulnerability to inject code and access the system to perform arbitrary system operations or disrupt service. | ||||
| CVE-2023-48226 | 1 Openreplay | 1 Openreplay | 2024-11-21 | 6.5 Medium |
| OpenReplay is a self-hosted session replay suite. In version 1.14.0, due to lack of validation Name field - Account Settings (for registration looks like validation is correct), a bad actor can send emails with HTML injected code to the victims. Bad actors can use this to phishing actions for example. Email is really send from OpenReplay, but bad actors can add there HTML code injected (content spoofing). Please notice that during Registration steps for FullName looks like is validated correct - can not type there, but using this kind of bypass/workaround - bad actors can achieve own goal. As of time of publication, no known fixes or workarounds are available. | ||||
| CVE-2023-48217 | 1 Statamic | 1 Statamic | 2024-11-21 | 8.8 High |
| Statamic is a flat-first, Laravel + Git powered CMS designed for building websites. In affected versions certain additional PHP files crafted to look like images may be uploaded regardless of mime type validation rules. This affects front-end forms using the "Forms" feature, and asset upload fields in the control panel. Malicious users could leverage this vulnerability to upload and execute code. This issue has been patched in versions 3.4.14 and 4.34.0. Users are advised to upgrade. There are no known workarounds for this vulnerability. | ||||
| CVE-2023-48192 | 1 Totolink | 2 A3700r, A3700r Firmware | 2024-11-21 | 7.8 High |
| An issue in TOTOlink A3700R v.9.1.2u.6134_B20201202 allows a local attacker to execute arbitrary code via the setTracerouteCfg function. | ||||
| CVE-2023-47883 | 1 Vladymix | 1 Tv Browser | 2024-11-21 | 9.8 Critical |
| The com.altamirano.fabricio.tvbrowser TV browser application through 4.5.1 for Android is vulnerable to JavaScript code execution via an explicit intent due to an exposed MainActivity. | ||||
| CVE-2023-47840 | 1 Qodeinteractive | 1 Qode Essential Addons | 2024-11-21 | 9.9 Critical |
| Improper Control of Generation of Code ('Code Injection') vulnerability in Qode Interactive Qode Essential Addons.This issue affects Qode Essential Addons: from n/a through 1.5.2. | ||||
| CVE-2023-47444 | 1 Opencart | 1 Opencart | 2024-11-21 | 8.8 High |
| An issue discovered in OpenCart 4.0.0.0 to 4.0.2.3 allows authenticated backend users having common/security write privilege can write arbitrary untrusted data inside config.php and admin/config.php, resulting in remote code execution on the underlying server. | ||||
| CVE-2023-47397 | 1 Webidsupport | 1 Webid | 2024-11-21 | 9.8 Critical |
| WeBid <=1.2.2 is vulnerable to code injection via admin/categoriestrans.php. | ||||
| CVE-2023-47003 | 1 Redislabs | 1 Redisgraph | 2024-11-21 | 9.8 Critical |
| An issue in RedisGraph v.2.12.10 allows an attacker to execute arbitrary code and cause a denial of service via a crafted string in DataBlock_ItemIsDeleted. | ||||
| CVE-2023-46987 | 1 Seacms | 1 Seacms | 2024-11-21 | 8.8 High |
| SeaCMS v12.9 was discovered to contain a remote code execution (RCE) vulnerability via the component /augap/adminip.php. | ||||
| CVE-2023-46980 | 1 Mayurik | 1 Best Courier Management System | 2024-11-21 | 9.8 Critical |
| An issue in Best Courier Management System v.1.0 allows a remote attacker to execute arbitrary code and escalate privileges via a crafted script to the userID parameter. | ||||
| CVE-2023-46958 | 1 Lmxcms | 1 Lmxcms | 2024-11-21 | 9.8 Critical |
| An issue in lmxcms v.1.41 allows a remote attacker to execute arbitrary code via a crafted script to the admin.php file. | ||||
| CVE-2023-46947 | 1 Intelliants | 1 Subrion | 2024-11-21 | 8.8 High |
| Subrion 4.2.1 has a remote command execution vulnerability in the backend. | ||||
| CVE-2023-46865 | 1 Craterapp | 1 Crater | 2024-11-21 | 7.2 High |
| /api/v1/company/upload-logo in CompanyController.php in crater through 6.0.6 allows a superadmin to execute arbitrary PHP code by placing this code into an image/png IDAT chunk of a Company Logo image. | ||||
| CVE-2023-46845 | 1 Ec-cube | 1 Ec-cube | 2024-11-21 | 7.2 High |
| EC-CUBE 3 series (3.0.0 to 3.0.18-p6) and 4 series (4.0.0 to 4.0.6-p3, 4.1.0 to 4.1.2-p2, and 4.2.0 to 4.2.2) contain an arbitrary code execution vulnerability due to improper settings of the template engine Twig included in the product. As a result, arbitrary code may be executed on the server where the product is running by a user with an administrative privilege. | ||||
| CVE-2023-46818 | 1 Ispconfig | 1 Ispconfig | 2024-11-21 | 7.2 High |
| An issue was discovered in ISPConfig before 3.2.11p1. PHP code injection can be achieved in the language file editor by an admin if admin_allow_langedit is enabled. | ||||
| CVE-2023-46816 | 1 Sugarcrm | 1 Sugarcrm | 2024-11-21 | 8.8 High |
| An issue was discovered in SugarCRM 12 before 12.0.4 and 13 before 13.0.2. A Server Site Template Injection (SSTI) vulnerability has been identified in the GecControl action. By using a crafted request, custom PHP code can be injected via the GetControl action because of missing input validation. An attacker with regular user privileges can exploit this. | ||||
| CVE-2023-46731 | 1 Xwiki | 1 Xwiki | 2024-11-21 | 10 Critical |
| XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. XWiki doesn't properly escape the section URL parameter that is used in the code for displaying administration sections. This allows any user with read access to the document `XWiki.AdminSheet` (by default, everyone including unauthenticated users) to execute code including Groovy code. This impacts the confidentiality, integrity and availability of the whole XWiki instance. This vulnerability has been patched in XWiki 14.10.14, 15.6 RC1 and 15.5.1. Users are advised to upgrade. Users unablr to upgrade may apply the fix in commit `fec8e0e53f9` manually. Alternatively, to protect against attacks from unauthenticated users, view right for guests can be removed from this document (it is only needed for space and wiki admins). | ||||
| CVE-2023-46623 | 1 Wpvnteam | 1 Wp Extra | 2024-11-21 | 9.9 Critical |
| Improper Control of Generation of Code ('Code Injection') vulnerability in TienCOP WP EXtra.This issue affects WP EXtra: from n/a through 6.2. | ||||