Total
3575 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-2583 | 1 Jsreport | 1 Jsreport | 2024-02-04 | N/A | 10.0 CRITICAL |
| Code Injection in GitHub repository jsreport/jsreport prior to 3.11.3. | |||||
| CVE-2023-36859 | 1 Piigab | 2 M-bus 900s, M-bus 900s Firmware | 2024-02-04 | N/A | 9.8 CRITICAL |
| PiiGAB M-Bus SoftwarePack 900S does not correctly sanitize user input, which could allow an attacker to inject arbitrary commands. | |||||
| CVE-2023-30990 | 1 Ibm | 1 I | 2024-02-04 | N/A | 9.8 CRITICAL |
| IBM i 7.2, 7.3, 7.4, and 7.5 could allow a remote attacker to execute CL commands as QUSER, caused by an exploitation of DDM architecture. IBM X-Force ID: 254036. | |||||
| CVE-2020-29007 | 1 Mediawiki | 1 Score | 2024-02-04 | N/A | 9.8 CRITICAL |
| The Score extension through 0.3.0 for MediaWiki has a remote code execution vulnerability due to improper sandboxing of the GNU LilyPond executable. This allows any user with an ability to edit articles (potentially including unauthenticated anonymous users) to execute arbitrary Scheme or shell code by using crafted {{Image data to generate musical scores containing malicious code. | |||||
| CVE-2023-27869 | 5 Hp, Ibm, Linux and 2 more | 6 Hp-ux, Aix, Db2 and 3 more | 2024-02-04 | N/A | 8.8 HIGH |
| IBM Db2 JDBC Driver for Db2 for Linux, UNIX and Windows 10.5, 11.1, and 11.5 could allow a remote authenticated attacker to execute arbitrary code on the system, caused by an unchecked logger injection. By sending a specially crafted request using the named traceFile property, an attacker could exploit this vulnerability to execute arbitrary code on the system. IBM X-Force ID: 249517. | |||||
| CVE-2023-24492 | 2 Canonical, Citrix | 2 Ubuntu Linux, Secure Access Client | 2024-02-04 | N/A | 8.8 HIGH |
| A vulnerability has been discovered in the Citrix Secure Access client for Ubuntu which, if exploited, could allow an attacker to remotely execute code if a victim user opens an attacker-crafted link and accepts further prompts. | |||||
| CVE-2023-27868 | 5 Hp, Ibm, Linux and 2 more | 6 Hp-ux, Aix, Db2 and 3 more | 2024-02-04 | N/A | 8.8 HIGH |
| IBM Db2 JDBC Driver for Db2 for Linux, UNIX and Windows 10.5, 11.1, and 11.5 could allow a remote authenticated attacker to execute arbitrary code on the system, caused by an unchecked class instantiation when providing plugin classes. By sending a specially crafted request using the named pluginClassName class, an attacker could exploit this vulnerability to execute arbitrary code on the system. IBM X-Force ID: 249516. | |||||
| CVE-2023-2359 | 1 Themepunch | 1 Slider Revolution | 2024-02-04 | N/A | 8.8 HIGH |
| The Slider Revolution WordPress plugin through 6.6.12 does not check for valid image files upon import, leading to an arbitrary file upload which may be escalated to Remote Code Execution in some server configurations. | |||||
| CVE-2023-34251 | 2024-02-04 | N/A | 7.2 HIGH | ||
| Grav is a flat-file content management system. Versions prior to 1.7.42 are vulnerable to server side template injection. Remote code execution is possible by embedding malicious PHP code on the administrator screen by a user with page editing privileges. Version 1.7.42 contains a fix for this issue. | |||||
| CVE-2023-37659 | 1 Xalpha Project | 1 Xalpha | 2024-02-04 | N/A | 9.8 CRITICAL |
| xalpha v0.11.4 is vulnerable to Remote Command Execution (RCE). | |||||
| CVE-2023-29209 | 1 Xwiki | 1 Xwiki | 2024-02-04 | N/A | 8.8 HIGH |
| XWiki Commons are technical libraries common to several other top level XWiki projects. Any user with view rights on commonly accessible documents including the legacy notification activity macro can execute arbitrary Groovy, Python or Velocity code in XWiki leading to full access to the XWiki installation. The root cause is improper escaping of the macro parameters of the legacy notification activity macro. This macro is installed by default in XWiki. The vulnerability can be exploited via every wiki page that is editable including the user's profile, but also with just view rights using the HTMLConverter that is part of the CKEditor integration which is bundled with XWiki. The vulnerability has been patched in XWiki 13.10.11, 14.4.7 and 14.10. | |||||
| CVE-2023-24709 | 1 Paradox | 2 Ipr512, Ipr512 Firmware | 2024-02-04 | N/A | 7.5 HIGH |
| An issue found in Paradox Security Systems IPR512 allows attackers to cause a denial of service via the login.html and login.xml parameters. | |||||
| CVE-2022-36963 | 1 Solarwinds | 1 Orion Platform | 2024-02-04 | N/A | 7.2 HIGH |
| The SolarWinds Platform was susceptible to the Command Injection Vulnerability. This vulnerability allows a remote adversary with a valid SolarWinds Platform admin account to execute arbitrary commands. | |||||
| CVE-2023-3393 | 1 Fossbilling | 1 Fossbilling | 2024-02-04 | N/A | 7.2 HIGH |
| Code Injection in GitHub repository fossbilling/fossbilling prior to 0.5.1. | |||||
| CVE-2023-29211 | 1 Xwiki | 1 Xwiki | 2024-02-04 | N/A | 8.8 HIGH |
| XWiki Commons are technical libraries common to several other top level XWiki projects. Any user with view rights `WikiManager.DeleteWiki` can execute arbitrary Groovy, Python or Velocity code in XWiki leading to full access to the XWiki installation. The root cause is improper escaping of the `wikiId` url parameter. The problem has been patched on XWiki 13.10.11, 14.4.7, and 14.10. | |||||
| CVE-2023-29210 | 1 Xwiki | 1 Xwiki | 2024-02-04 | N/A | 8.8 HIGH |
| XWiki Commons are technical libraries common to several other top level XWiki projects. Any user with view rights on commonly accessible documents including the notification preferences macros can execute arbitrary Groovy, Python or Velocity code in XWiki leading to full access to the XWiki installation. The root cause is improper escaping of the user parameter of the macro that provide the notification filters. These macros are used in the user profiles and thus installed by default in XWiki. The vulnerability has been patched in XWiki 13.10.11, 14.4.7 and 14.10. | |||||
| CVE-2023-35152 | 1 Xwiki | 1 Xwiki | 2024-02-04 | N/A | 8.8 HIGH |
| XWiki Platform is a generic wiki platform. Starting in version 12.9-rc-1 and prior to versions 14.4.8, 14.10.6, and 15.1, any logged in user can add dangerous content in their first name field and see it executed with programming rights. Leading to rights escalation. The vulnerability has been fixed on XWiki 14.4.8, 14.10.6, and 15.1. As a workaround, one may apply the patch manually. | |||||
| CVE-2023-1306 | 1 Rapid7 | 2 Insightappsec, Insightcloudsec | 2024-02-04 | N/A | 8.8 HIGH |
| An authenticated attacker can leverage an exposed resource.db() accessor method to smuggle Python method calls via a Jinja template, which can lead to code execution. This issue was resolved in the Managed and SaaS deployments on February 1, 2023, and in version 23.2.1 of the Self-Managed version of InsightCloudSec. | |||||
| CVE-2023-36992 | 1 Travianz Project | 1 Travianz | 2024-02-04 | N/A | 7.2 HIGH |
| PHP injection in TravianZ 8.3.4 and 8.3.3 in the config editor in the admin page allows remote attackers to execute PHP code. | |||||
| CVE-2022-43769 | 1 Hitachi | 1 Vantara Pentaho Business Analytics Server | 2024-02-04 | N/A | 7.2 HIGH |
| Hitachi Vantara Pentaho Business Analytics Server prior to versions 9.4.0.1 and 9.3.0.2, including 8.3.x allow certain web services to set property values which contain Spring templates that are interpreted downstream. | |||||