Total
5260 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-43792 | 1 Basercms | 1 Basercms | 2024-11-21 | 9.8 Critical |
| baserCMS is a website development framework. In versions 4.6.0 through 4.7.6, there is a Code Injection vulnerability in the mail form of baserCMS. As of time of publication, no known patched versions are available. | ||||
| CVE-2023-43661 | 2 All-three, Cachethq | 2 Cachet, Cachet | 2024-11-21 | 8.8 High |
| Cachet, the open-source status page system. Prior to the 2.4 branch, a template functionality which allows users to create templates allows them to execute any code on the server during the bad filtration and old twig version. Commit 6fb043e109d2a262ce3974e863c54e9e5f5e0587 of the 2.4 branch contains a patch for this issue. | ||||
| CVE-2023-43481 | 1 Tcl | 1 Browser Tv Web - Browsehere | 2024-11-21 | 9.8 Critical |
| An issue in Shenzhen TCL Browser TV Web BrowseHere (aka com.tcl.browser) 6.65.022_dab24cc6_231221_gp allows a remote attacker to execute arbitrary JavaScript code via the com.tcl.browser.portal.browse.activity.BrowsePageActivity component. | ||||
| CVE-2023-43364 | 1 Arjunsharda | 1 Searchor | 2024-11-21 | 9.8 Critical |
| main.py in Searchor before 2.4.2 uses eval on CLI input, which may cause unexpected code execution. | ||||
| CVE-2023-43352 | 1 Cmsmadesimple | 1 Cms Made Simple | 2024-11-21 | 7.8 High |
| An issue in CMSmadesimple v.2.2.18 allows a local attacker to execute arbitrary code via a crafted payload to the Content Manager Menu component. | ||||
| CVE-2023-43301 | 1 Linecorp | 1 Line | 2024-11-21 | 8.2 High |
| An issue in DARTS SHOP MAXIM mini-app on Line v13.6.1 allows attackers to send crafted malicious notifications via leakage of the channel access token. | ||||
| CVE-2023-43270 | 1 Dst-admin Project | 1 Dst-admin | 2024-11-21 | 9.8 Critical |
| dst-admin v1.5.0 was discovered to contain a remote command execution (RCE) vulnerability via the userId parameter at /home/playerOperate. | ||||
| CVE-2023-43234 | 1 Dedebiz | 1 Dedebiz | 2024-11-21 | 9.8 Critical |
| DedeBIZ v6.2.11 was discovered to contain multiple remote code execution (RCE) vulnerabilities at /admin/file_manage_control.php via the $activepath and $filename parameters. | ||||
| CVE-2023-43222 | 1 Seacms | 1 Seacms | 2024-11-21 | 9.8 Critical |
| SeaCMS v12.8 has an arbitrary code writing vulnerability in the /jxz7g2/admin_ping.php file. | ||||
| CVE-2023-43115 | 3 Artifex, Fedoraproject, Redhat | 4 Ghostscript, Fedora, Enterprise Linux and 1 more | 2024-11-21 | 8.8 High |
| In Artifex Ghostscript through 10.01.2, gdevijs.c in GhostPDL can lead to remote code execution via crafted PostScript documents because they can switch to the IJS device, or change the IjsServer parameter, after SAFER has been activated. NOTE: it is a documented risk that the IJS server can be specified on a gs command line (the IJS device inherently must execute a command to start the IJS server). | ||||
| CVE-2023-42658 | 1 Chef | 1 Inspec | 2024-11-21 | 8.8 High |
| Archive command in Chef InSpec prior to 4.56.58 and 5.22.29 allow local command execution via maliciously crafted profile. | ||||
| CVE-2023-42471 | 1 Wave-ai | 1 Wave | 2024-11-21 | 9.8 Critical |
| The wave.ai.browser application through 1.0.35 for Android allows a remote attacker to execute arbitrary JavaScript code via a crafted intent. It contains a manifest entry that exports the wave.ai.browser.ui.splash.SplashScreen activity. This activity uses a WebView component to display web content and doesn't adequately validate or sanitize the URI or any extra data passed in the intent by a third party application (with no permissions). | ||||
| CVE-2023-42470 | 1 Imoulife | 1 Life | 2024-11-21 | 9.8 Critical |
| The Imou Life com.mm.android.smartlifeiot application through 6.8.0 for Android allows Remote Code Execution via a crafted intent to an exported component. This relates to the com.mm.android.easy4ip.MainActivity activity. JavaScript execution is enabled in the WebView, and direct web content loading occurs. | ||||
| CVE-2023-41898 | 1 Home-assistant | 1 Home Assistant Companion | 2024-11-21 | 8.6 High |
| Home assistant is an open source home automation. The Home Assistant Companion for Android app up to version 2023.8.2 is vulnerable to arbitrary URL loading in a WebView. This enables all sorts of attacks, including arbitrary JavaScript execution, limited native code execution, and credential theft. This issue has been patched in version 2023.9.2 and all users are advised to upgrade. There are no known workarounds for this vulnerability. This issue is also tracked as GitHub Security Lab (GHSL) Vulnerability Report: `GHSL-2023-142`. | ||||
| CVE-2023-41630 | 1 Esst | 1 Esst Monitoring | 2024-11-21 | 9.8 Critical |
| eSST Monitoring v2.147.1 was discovered to contain a remote code execution (RCE) vulnerability via the Gii code generator component. | ||||
| CVE-2023-41544 | 1 Jeecg | 1 Jeecg Boot | 2024-11-21 | 9.8 Critical |
| SSTI injection vulnerability in jeecg-boot version 3.5.3, allows remote attackers to execute arbitrary code via crafted HTTP request to the /jmreport/loadTableData component. | ||||
| CVE-2023-41450 | 1 Phpkobo | 1 Ajaxnewsticker | 2024-11-21 | 8.8 High |
| An issue in phpkobo AjaxNewsTicker v.1.0.5 allows a remote attacker to execute arbitrary code via a crafted payload to the reque parameter. | ||||
| CVE-2023-41444 | 2 Binalyze, Microsoft | 2 Irec, Windows | 2024-11-21 | 7.8 High |
| An issue in Binalyze IREC.sys v.3.11.0 and before allows a local attacker to execute arbitrary code and escalate privileges via the fun_1400084d0 function in IREC.sys driver. | ||||
| CVE-2023-41362 | 1 Mybb | 1 Mybb | 2024-11-21 | 7.2 High |
| MyBB before 1.8.36 allows Code Injection by users with certain high privileges. Templates in Admin CP intentionally use eval, and there was some validation of the input to eval, but type juggling interfered with this when using PCRE within PHP. | ||||
| CVE-2023-41319 | 1 Ethyca | 1 Fides | 2024-11-21 | 8.8 High |
| Fides is an open-source privacy engineering platform for managing the fulfillment of data privacy requests in a runtime environment, and the enforcement of privacy regulations in code. The Fides webserver API allows custom integrations to be uploaded as a ZIP file. This ZIP file must contain YAML files, but Fides can be configured to also accept the inclusion of custom Python code in it. The custom code is executed in a restricted, sandboxed environment, but the sandbox can be bypassed to execute any arbitrary code. The vulnerability allows the execution of arbitrary code on the target system within the context of the webserver python process owner on the webserver container, which by default is `root`, and leverage that access to attack underlying infrastructure and integrated systems. This vulnerability affects Fides versions `2.11.0` through `2.19.0`. Exploitation is limited to API clients with the `CONNECTOR_TEMPLATE_REGISTER` authorization scope. In the Fides Admin UI this scope is restricted to highly privileged users, specifically root users and users with the owner role. Exploitation is only possible if the security configuration parameter `allow_custom_connector_functions` is enabled by the user deploying the Fides webserver container, either in `fides.toml` or by setting the env var `FIDES__SECURITY__ALLOW_CUSTOM_CONNECTOR_FUNCTIONS=True`. By default this configuration parameter is disabled. The vulnerability has been patched in Fides version `2.19.0`. Users are advised to upgrade to this version or later to secure their systems against this threat. Users unable to upgrade should ensure that `allow_custom_connector_functions` in `fides.toml` and the `FIDES__SECURITY__ALLOW_CUSTOM_CONNECTOR_FUNCTIONS` are both either unset or explicit set to `False`. | ||||