Total
258992 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-36234 | 1 Netbox | 1 Netbox | 2024-02-02 | N/A | 5.4 MEDIUM |
| Cross Site Scripting (XSS) vulnerability in Netbox 3.5.1, allows attackers to execute arbitrary code via Name field in device-roles/add function. | |||||
| CVE-2023-33799 | 1 Netbox Project | 1 Netbox | 2024-02-02 | N/A | 5.4 MEDIUM |
| A stored cross-site scripting (XSS) vulnerability in the Create Contacts (/tenancy/contacts/) function of Netbox v3.5.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name field. | |||||
| CVE-2023-45117 | 1 Projectworlds | 1 Online Examination System | 2024-02-02 | N/A | 8.8 HIGH |
| Online Examination System v1.0 is vulnerable to multiple Authenticated SQL Injection vulnerabilities. The 'eid' parameter of the /update.php?q=rmquiz resource does not validate the characters received and they are sent unfiltered to the database. | |||||
| CVE-2023-45116 | 1 Projectworlds | 1 Online Examination System | 2024-02-02 | N/A | 8.8 HIGH |
| Online Examination System v1.0 is vulnerable to multiple Authenticated SQL Injection vulnerabilities. The 'demail' parameter of the /update.php resource does not validate the characters received and they are sent unfiltered to the database. | |||||
| CVE-2023-45121 | 1 Projectworlds | 1 Online Examination System | 2024-02-02 | N/A | 8.8 HIGH |
| Online Examination System v1.0 is vulnerable to multiple Authenticated SQL Injection vulnerabilities. The 'desc' parameter of the /update.php?q=addquiz resource does not validate the characters received and they are sent unfiltered to the database. | |||||
| CVE-2023-45120 | 1 Projectworlds | 1 Online Examination System | 2024-02-02 | N/A | 8.8 HIGH |
| Online Examination System v1.0 is vulnerable to multiple Authenticated SQL Injection vulnerabilities. The 'qid' parameter of the /update.php?q=quiz&step=2 resource does not validate the characters received and they are sent unfiltered to the database. | |||||
| CVE-2008-0599 | 1 Php | 1 Php | 2024-02-02 | 10.0 HIGH | 9.8 CRITICAL |
| The init_request_info function in sapi/cgi/cgi_main.c in PHP before 5.2.6 does not properly consider operator precedence when calculating the length of PATH_TRANSLATED, which might allow remote attackers to execute arbitrary code via a crafted URI. | |||||
| CVE-2023-45118 | 1 Projectworlds | 1 Online Examination System | 2024-02-02 | N/A | 8.8 HIGH |
| Online Examination System v1.0 is vulnerable to multiple Authenticated SQL Injection vulnerabilities. The 'fdid' parameter of the /update.php resource does not validate the characters received and they are sent unfiltered to the database. | |||||
| CVE-2023-45119 | 1 Projectworlds | 1 Online Examination System | 2024-02-02 | N/A | 8.8 HIGH |
| Online Examination System v1.0 is vulnerable to multiple Authenticated SQL Injection vulnerabilities. The 'n' parameter of the /update.php?q=quiz resource does not validate the characters received and they are sent unfiltered to the database. | |||||
| CVE-2019-5736 | 13 Apache, Canonical, D2iq and 10 more | 19 Mesos, Ubuntu Linux, Dc\/os and 16 more | 2024-02-02 | 9.3 HIGH | 8.6 HIGH |
| runc through 1.0-rc6, as used in Docker before 18.09.2 and other products, allows attackers to overwrite the host runc binary (and consequently obtain host root access) by leveraging the ability to execute a command as root within one of these types of containers: (1) a new container with an attacker-controlled image, or (2) an existing container, to which the attacker previously had write access, that can be attached with docker exec. This occurs because of file-descriptor mishandling, related to /proc/self/exe. | |||||
| CVE-2024-25001 | 2024-02-02 | N/A | N/A | ||
| Rejected reason: ** REJECT ** DO NOT USE THIS CVE ID. ConsultIDs: none. Reason: This CVE ID is unused by its CNA. Notes: none. | |||||
| CVE-2023-44764 | 1 Concretecms | 1 Concrete Cms | 2024-02-02 | N/A | 5.4 MEDIUM |
| A Cross Site Scripting (XSS) vulnerability in Concrete CMS before 9.2.3 exists via the Name parameter during installation (aka Site of Installation or Settings). | |||||
| CVE-2022-41613 | 1 Bentley | 1 Microstation Connect | 2024-02-02 | N/A | 7.8 HIGH |
| Bentley Systems MicroStation Connect versions 10.17.0.209 and prior are vulnerable to an Out-of-Bounds Read when when parsing DGN files, which may allow an attacker to crash the product, disclose sensitive information, or execute arbitrary code. | |||||
| CVE-2022-40201 | 1 Bentley | 1 Microstation Connect | 2024-02-02 | N/A | 7.8 HIGH |
| Bentley Systems MicroStation Connect versions 10.17.0.209 and prior are vulnerable to a Stack-Based Buffer Overflow when a malformed design (DGN) file is parsed. This may allow an attacker to execute arbitrary code. | |||||
| CVE-2024-0625 | 2024-02-02 | N/A | 4.8 MEDIUM | ||
| The WPFront Notification Bar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘wpfront-notification-bar-options[custom_class]’ parameter in all versions up to, and including, 3.3.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. | |||||
| CVE-2024-0617 | 2024-02-02 | N/A | 5.3 MEDIUM | ||
| The Category Discount Woocommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the wpcd_save_discount() function in all versions up to, and including, 4.12. This makes it possible for unauthenticated attackers to modify product category discounts that could lead to loss of revenue. | |||||
| CVE-2024-22204 | 2024-02-02 | N/A | 5.3 MEDIUM | ||
| Whoogle Search is a self-hosted metasearch engine. Versions 0.8.3 and prior have a limited file write vulnerability when the configuration options in Whoogle are enabled. The `config` function in `app/routes.py` does not validate the user-controlled `name` variable on line 447 and `config_data` variable on line 437. The `name` variable is insecurely concatenated in `os.path.join`, leading to path manipulation. The POST data from the `config_data` variable is saved with `pickle.dump` which leads to a limited file write. However, the data that is saved is earlier transformed into a dictionary and the `url` key value pair is added before the file is saved on the system. All in all, the issue allows us to save and overwrite files on the system that the application has permissions to, with a dictionary containing arbitrary data and the `url` key value, which is a limited file write. Version 0.8.4 contains a patch for this issue. | |||||
| CVE-2023-49783 | 2024-02-02 | N/A | 4.3 MEDIUM | ||
| Silverstripe Admin provides a basic management interface for the Silverstripe Framework. In versions on the 1.x branch prior to 1.13.19 and on the 2.x branch prior to 2.1.8, users who don't have edit or delete permissions for records exposed in a `ModelAdmin` can still edit or delete records using the CSV import form, provided they have create permissions. The likelihood of a user having create permissions but not having edit or delete permissions is low, but it is possible. Note that this doesn't affect any `ModelAdmin` which has had the import form disabled via the `showImportForm` public property. Versions 1.13.19 and 2.1.8 contain a patch for the issue. Those who have a custom implementation of `BulkLoader` should update their implementations to respect permissions when the return value of `getCheckPermissions()` is true. Those who use any `BulkLoader` in their own project logic, or maintain a module which uses it, should consider passing `true` to `setCheckPermissions()` if the data is provided by users. | |||||
| CVE-2023-48714 | 2024-02-02 | N/A | 4.3 MEDIUM | ||
| Silverstripe Framework is the framework that forms the base of the Silverstripe content management system. Prior to versions 4.13.39 and 5.1.11, if a user should not be able to see a record, but that record can be added to a `GridField` using the `GridFieldAddExistingAutocompleter` component, the record's title can be accessed by that user. Versions 4.13.39 and 5.1.11 contain a fix for this issue. | |||||
| CVE-2023-40092 | 1 Google | 1 Android | 2024-02-02 | N/A | 5.5 MEDIUM |
| In verifyShortcutInfoPackage of ShortcutService.java, there is a possible way to see another user's image due to a confused deputy. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. | |||||