Total
860 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-50723 | 1 Xwiki | 1 Xwiki | 2024-11-21 | N/A | 9.9 CRITICAL |
| XWiki Platform is a generic wiki platform. Starting in 2.3 and prior to versions 14.10.15, 15.5.2, and 15.7-rc-1, anyone who can edit an arbitrary wiki page in an XWiki installation can gain programming right through several cases of missing escaping in the code for displaying sections in the administration interface. This impacts the confidentiality, integrity and availability of the whole XWiki installation. Normally, all users are allowed to edit their own user profile so this should be exploitable by all users of the XWiki instance. This has been fixed in XWiki 14.10.15, 15.5.2 and 15.7RC1. The patches can be manually applied to the `XWiki.ConfigurableClassMacros` and `XWiki.ConfigurableClass` pages. | |||||
| CVE-2023-50721 | 1 Xwiki | 1 Xwiki | 2024-11-21 | N/A | 9.9 CRITICAL |
| XWiki Platform is a generic wiki platform. Starting in 4.5-rc-1 and prior to versions 14.10.15, 15.5.2, and 15.7-rc-1, the search administration interface doesn't properly escape the id and label of search user interface extensions, allowing the injection of XWiki syntax containing script macros including Groovy macros that allow remote code execution, impacting the confidentiality, integrity and availability of the whole XWiki instance. This attack can be executed by any user who can edit some wiki page like the user's profile (editable by default) as user interface extensions that will be displayed in the search administration can be added on any document by any user. The necessary escaping has been added in XWiki 14.10.15, 15.5.2 and 15.7RC1. As a workaround, the patch can be applied manually applied to the page `XWiki.SearchAdmin`. | |||||
| CVE-2023-50029 | 2024-11-21 | N/A | 10.0 CRITICAL | ||
| PHP Injection vulnerability in the module "M4 PDF Extensions" (m4pdf) up to version 3.3.2 from PrestaAddons for PrestaShop allows attackers to run arbitrary code via the M4PDF::saveTemplate() method. | |||||
| CVE-2023-4291 | 1 Frauscher | 1 Frauscher Diagnostic System 101 | 2024-11-21 | N/A | 9.8 CRITICAL |
| Frauscher Sensortechnik GmbH FDS101 for FAdC/FAdCi v1.4.24 and all previous versions are vulnerable to a remote code execution (RCE) vulnerability via manipulated parameters of the web interface without authentication. This could lead to a full compromise of the FDS101 device. | |||||
| CVE-2023-49830 | 1 Brainstormforce | 1 Astra | 2024-11-21 | N/A | 9.9 CRITICAL |
| Improper Control of Generation of Code ('Code Injection') vulnerability in Brainstorm Force Astra Pro.This issue affects Astra Pro: from n/a through 4.3.1. | |||||
| CVE-2023-49313 | 1 Horsicq | 1 Xmachoviewer | 2024-11-21 | N/A | 9.8 CRITICAL |
| A dylib injection vulnerability in XMachOViewer 0.04 allows attackers to compromise integrity. By exploiting this, unauthorized code can be injected into the product's processes, potentially leading to remote control and unauthorized access to sensitive user data. | |||||
| CVE-2023-49004 | 1 Dlink | 2 Dir-850l, Dir-850l Firmware | 2024-11-21 | N/A | 9.8 CRITICAL |
| An issue in D-Link DIR-850L v.B1_FW223WWb01 allows a remote attacker to execute arbitrary code via a crafted script to the en parameter. | |||||
| CVE-2023-49001 | 1 Indibrowser | 1 Indi Browser | 2024-11-21 | N/A | 9.8 CRITICAL |
| An issue in Indi Browser (aka kvbrowser) v.12.11.23 allows an attacker to bypass intended access restrictions via interaction with the com.example.gurry.kvbrowswer.webview component. | |||||
| CVE-2023-49000 | 1 Artistscope | 1 Artisbrowser | 2024-11-21 | N/A | 9.8 CRITICAL |
| An issue in ArtistScope ArtisBrowser v.34.1.5 and before allows an attacker to bypass intended access restrictions via interaction with the com.artis.browser.IntentReceiverActivity component. NOTE: this is disputed by the vendor, who indicates that ArtisBrowser 34 does not support CSS3. | |||||
| CVE-2023-48643 | 2024-11-21 | N/A | 9.8 CRITICAL | ||
| Shrubbery tac_plus 2.x, 3.x. and 4.x through F4.0.4.28 allows unauthenticated Remote Command Execution. The product allows users to configure authorization checks as shell commands through the tac_plus.cfg configuration file. These are executed when a client sends an authorization request with a username that has pre-authorization directives configured. However, it is possible to inject additional commands into these checks because strings from TACACS+ packets are used as command-line arguments. If the installation lacks a a pre-shared secret (there is no pre-shared secret by default), then the injection can be triggered without authentication. (The attacker needs to know a username configured to use a pre-authorization command.) NOTE: this is related to CVE-2023-45239 but the issue is in the original Shrubbery product, not Meta's fork. | |||||
| CVE-2023-48390 | 1 Multisuns | 2 Easylog Web\+, Easylog Web\+ Firmware | 2024-11-21 | N/A | 9.8 CRITICAL |
| Multisuns EasyLog web+ has a code injection vulnerability. An unauthenticated remote attacker can exploit this vulnerability to inject code and access the system to perform arbitrary system operations or disrupt service. | |||||
| CVE-2023-47840 | 1 Qodeinteractive | 1 Qode Essential Addons | 2024-11-21 | N/A | 9.9 CRITICAL |
| Improper Control of Generation of Code ('Code Injection') vulnerability in Qode Interactive Qode Essential Addons.This issue affects Qode Essential Addons: from n/a through 1.5.2. | |||||
| CVE-2023-47397 | 1 Webidsupport | 1 Webid | 2024-11-21 | N/A | 9.8 CRITICAL |
| WeBid <=1.2.2 is vulnerable to code injection via admin/categoriestrans.php. | |||||
| CVE-2023-47003 | 1 Redislabs | 1 Redisgraph | 2024-11-21 | N/A | 9.8 CRITICAL |
| An issue in RedisGraph v.2.12.10 allows an attacker to execute arbitrary code and cause a denial of service via a crafted string in DataBlock_ItemIsDeleted. | |||||
| CVE-2023-46980 | 1 Mayurik | 1 Best Courier Management System | 2024-11-21 | N/A | 9.8 CRITICAL |
| An issue in Best Courier Management System v.1.0 allows a remote attacker to execute arbitrary code and escalate privileges via a crafted script to the userID parameter. | |||||
| CVE-2023-46958 | 1 Lmxcms | 1 Lmxcms | 2024-11-21 | N/A | 9.8 CRITICAL |
| An issue in lmxcms v.1.41 allows a remote attacker to execute arbitrary code via a crafted script to the admin.php file. | |||||
| CVE-2023-46731 | 1 Xwiki | 1 Xwiki | 2024-11-21 | N/A | 10.0 CRITICAL |
| XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. XWiki doesn't properly escape the section URL parameter that is used in the code for displaying administration sections. This allows any user with read access to the document `XWiki.AdminSheet` (by default, everyone including unauthenticated users) to execute code including Groovy code. This impacts the confidentiality, integrity and availability of the whole XWiki instance. This vulnerability has been patched in XWiki 14.10.14, 15.6 RC1 and 15.5.1. Users are advised to upgrade. Users unablr to upgrade may apply the fix in commit `fec8e0e53f9` manually. Alternatively, to protect against attacks from unauthenticated users, view right for guests can be removed from this document (it is only needed for space and wiki admins). | |||||
| CVE-2023-46623 | 1 Wpvnteam | 1 Wp Extra | 2024-11-21 | N/A | 9.9 CRITICAL |
| Improper Control of Generation of Code ('Code Injection') vulnerability in TienCOP WP EXtra.This issue affects WP EXtra: from n/a through 6.2. | |||||
| CVE-2023-46509 | 1 Contec | 2 Solarview Compact, Solarview Compact Firmware | 2024-11-21 | N/A | 9.8 CRITICAL |
| An issue in Contec SolarView Compact v.6.0 and before allows an attacker to execute arbitrary code via the texteditor.php component. | |||||
| CVE-2023-46480 | 1 Owncast Project | 1 Owncast | 2024-11-21 | N/A | 9.8 CRITICAL |
| An issue in OwnCast v.0.1.1 allows a remote attacker to execute arbitrary code and obtain sensitive information via the authHost parameter of the indieauth function. | |||||