Total
5260 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-46509 | 1 Contec | 2 Solarview Compact, Solarview Compact Firmware | 2024-11-21 | 9.8 Critical |
| An issue in Contec SolarView Compact v.6.0 and before allows an attacker to execute arbitrary code via the texteditor.php component. | ||||
| CVE-2023-46404 | 1 Utoronto | 1 Pcrs | 2024-11-21 | 9.9 Critical |
| PCRS <= 3.11 (d0de1e) “Questions” page and “Code editor” page are vulnerable to remote code execution (RCE) by escaping Python sandboxing. | ||||
| CVE-2023-46243 | 1 Xwiki | 1 Xwiki | 2024-11-21 | 10 Critical |
| XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In affected versions it's possible for a user to execute any content with the right of an existing document's content author, provided the user have edit right on it. A crafted URL of the form ` /xwiki/bin/edit//?content=%7B%7Bgroovy%7D%7Dprintln%28%22Hello+from+Groovy%21%22%29%7B%7B%2Fgroovy%7D%7D&xpage=view` can be used to execute arbitrary groovy code on the server. This vulnerability has been patched in XWiki versions 14.10.6 and 15.2RC1. Users are advised to update. There are no known workarounds for this issue. | ||||
| CVE-2023-46242 | 1 Xwiki | 1 Xwiki | 2024-11-21 | 9.7 Critical |
| XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In affected versions it's possible to execute a content with the right of any user via a crafted URL. A user must have `programming` privileges in order to exploit this vulnerability. This issue has been patched in XWiki 14.10.7 and 15.2RC1. Users are advised to upgrade. There are no known workarounds for for this vulnerability. | ||||
| CVE-2023-46055 | 1 Thingnario | 1 Photon | 2024-11-21 | 8.8 High |
| An issue in ThingNario Photon v.1.0 allows a remote attacker to execute arbitrary code and escalate privileges via a crafted script to the ping function to the "thingnario Logger Maintenance Webpage" endpoint. | ||||
| CVE-2023-46042 | 1 Get-simple | 1 Getsimplecms | 2024-11-21 | 9.8 Critical |
| An issue in GetSimpleCMS v.3.4.0a allows a remote attacker to execute arbitrary code via a crafted payload to the phpinfo(). | ||||
| CVE-2023-46010 | 1 Seacms | 1 Seacms | 2024-11-21 | 9.8 Critical |
| An issue in SeaCMS v.12.9 allows an attacker to execute arbitrary commands via the admin_safe.php component. | ||||
| CVE-2023-45849 | 1 Perforce | 1 Helix Core | 2024-11-21 | 9 Critical |
| An arbitrary code execution which results in privilege escalation was discovered in Helix Core versions prior to 2023.2. Reported by Jason Geffner. | ||||
| CVE-2023-45751 | 1 Posimyth | 1 Nexter Extension | 2024-11-21 | 9.1 Critical |
| Improper Control of Generation of Code ('Code Injection') vulnerability in POSIMYTH Nexter Extension.This issue affects Nexter Extension: from n/a through 2.0.3. | ||||
| CVE-2023-45735 | 1 Westermo | 2 L206-f2g, L206-f2g Firmware | 2024-11-21 | 8 High |
| A potential attacker with access to the Westermo Lynx device may be able to execute malicious code that could affect the correct functioning of the device. | ||||
| CVE-2023-45560 | 1 Memberscard Project | 1 Memberscard | 2024-11-21 | 7.5 High |
| An issue in Yasukawa memberscard v.13.6.1 allows attackers to send crafted notifications via leakage of the channel access token. | ||||
| CVE-2023-45144 | 1 Xwiki | 1 Oauth Identity | 2024-11-21 | 10 Critical |
| com.xwiki.identity-oauth:identity-oauth-ui is a package to aid in building identity and service providers based on OAuth authorizations. When a user logs in via the OAuth method, the identityOAuth parameters sent in the GET request is vulnerable to cross site scripting (XSS) and XWiki syntax injection. This allows remote code execution via the groovy macro and thus affects the confidentiality, integrity and availability of the whole XWiki installation. The issue has been fixed in Identity OAuth version 1.6. There are no known workarounds for this vulnerability and users are advised to upgrade. | ||||
| CVE-2023-44847 | 1 Seacms | 1 Seacms | 2024-11-21 | 7.2 High |
| An issue in SeaCMS v.12.8 allows an attacker to execute arbitrary code via the admin_ Weixin.php component. | ||||
| CVE-2023-44846 | 1 Seacms | 1 Seacms | 2024-11-21 | 8.8 High |
| An issue in SeaCMS v.12.8 allows an attacker to execute arbitrary code via the admin_ notify.php component. | ||||
| CVE-2023-44392 | 1 Garden | 1 Garden | 2024-11-21 | 8.3 High |
| Garden provides automation for Kubernetes development and testing. Prior tov ersions 0.13.17 and 0.12.65, Garden has a dependency on the cryo library, which is vulnerable to code injection due to an insecure implementation of deserialization. Garden stores serialized objects using cryo in the Kubernetes `ConfigMap` resources prefixed with `test-result` and `run-result` to cache Garden test and run results. These `ConfigMaps` are stored either in the `garden-system` namespace or the configured user namespace. When a user invokes the command `garden test` or `garden run` objects stored in the `ConfigMap` are retrieved and deserialized. This can be used by an attacker with access to the Kubernetes cluster to store malicious objects in the `ConfigMap`, which can trigger a remote code execution on the users machine when cryo deserializes the object. In order to exploit this vulnerability, an attacker must have access to the Kubernetes cluster used to deploy garden remote environments. Further, a user must actively invoke either a `garden test` or `garden run` which has previously cached results. The issue has been patched in Garden versions `0.13.17` (Bonsai) and `0.12.65` (Acorn). Only Garden versions prior to these are vulnerable. No known workarounds are available. | ||||
| CVE-2023-44382 | 1 Octobercms | 1 October | 2024-11-21 | 9.1 Critical |
| October is a Content Management System (CMS) and web platform to assist with development workflow. An authenticated backend user with the `editor.cms_pages`, `editor.cms_layouts`, or `editor.cms_partials` permissions who would normally not be permitted to provide PHP code to be executed by the CMS due to `cms.safe_mode` being enabled can write specific Twig code to escape the Twig sandbox and execute arbitrary PHP. This issue has been patched in 3.4.15. | ||||
| CVE-2023-44381 | 1 Octobercms | 1 October | 2024-11-21 | 4.9 Medium |
| October is a Content Management System (CMS) and web platform to assist with development workflow. An authenticated backend user with the `editor.cms_pages`, `editor.cms_layouts`, or `editor.cms_partials` permissions who would normally not be permitted to provide PHP code to be executed by the CMS due to `cms.safe_mode` being enabled can craft a special request to include PHP code in the CMS template. This issue has been patched in version 3.4.15. | ||||
| CVE-2023-44141 | 1 Inkdrop | 1 Inkdrop | 2024-11-21 | 7.8 High |
| Inkdrop prior to v5.6.0 allows a local attacker to conduct a code injection attack by having a legitimate user open a specially crafted markdown file. | ||||
| CVE-2023-44011 | 1 Mojoportal | 1 Mojoportal | 2024-11-21 | 9.8 Critical |
| An issue in mojoPortal v.2.7.0.0 allows a remote attacker to execute arbitrary code via a crafted script to the layout.master skin file at the Skin management component. | ||||
| CVE-2023-43955 | 1 Fedirtsapana | 1 Tv Bro | 2024-11-21 | 9.8 Critical |
| The com.phlox.tvwebbrowser TV Bro application through 2.0.0 for Android mishandles external intents through WebView. This allows attackers to execute arbitrary code, create arbitrary files. and perform arbitrary downloads via JavaScript that uses takeBlobDownloadData. | ||||