Total
1595 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-52081 | 1 Ewen-lbh | 1 Firefox Css | 2024-11-21 | 5.3 Medium |
| ffcss is a CLI interface to apply and configure Firefox CSS themes. Prior to 0.2.0, the function `lookupPreprocess()` is meant to apply some transformations to a string by disabling characters in the regex `[-_ .]`. However, due to the use of late Unicode normalization of type NFKD, it is possible to bypass that validation and re-introduce all the characters in the regex `[-_ .]`. The `lookupPreprocess()` can be easily bypassed with equivalent Unicode characters like U+FE4D (﹍), which would result in the omitted U+005F (_), for instance. The `lookupPreprocess()` function is only ever used to search for themes loosely (case insensitively, while ignoring dashes, underscores and dots), so the actual security impact is classified as low. This vulnerability is fixed in 0.2.0. There are no known workarounds. | ||||
| CVE-2023-51939 | 1 Relic Project | 1 Relic | 2024-11-21 | 8.8 High |
| An issue in the cp_bbs_sig function in relic/src/cp/relic_cp_bbs.c of Relic relic-toolkit 0.6.0 allows a remote attacker to obtain sensitive information and escalate privileges via the cp_bbs_sig function. | ||||
| CVE-2023-51664 | 1 Tj-actions | 1 Changed-files | 2024-11-21 | 7.3 High |
| tj-actions/changed-files is a Github action to retrieve all files and directories. Prior to 41.0.0, the `tj-actions/changed-files` workflow allows for command injection in changed filenames, allowing an attacker to execute arbitrary code and potentially leak secrets. This issue may lead to arbitrary command execution in the GitHub Runner. This vulnerability has been addressed in version 41.0.0. Users are advised to upgrade. | ||||
| CVE-2023-51446 | 1 Glpi-project | 1 Glpi | 2024-11-21 | 5.9 Medium |
| GLPI is a Free Asset and IT Management Software package. When authentication is made against a LDAP, the authentication form can be used to perform LDAP injection. Upgrade to 10.0.12. | ||||
| CVE-2023-50093 | 1 Apiida | 1 Api Gateway Manager | 2024-11-21 | 6.1 Medium |
| APIIDA API Gateway Manager for Broadcom Layer7 v2023.2.2 is vulnerable to Host Header Injection. | ||||
| CVE-2023-4843 | 1 Pega | 1 Pega Platform | 2024-11-21 | 4.3 Medium |
| Pega Platform versions 7.1 to 8.8.3 are affected by an HTML Injection issue with a name field utilized in Visual Business Director, however this field can only be modified by an authenticated administrative user. | ||||
| CVE-2023-4818 | 1 Paxtechnology | 2 A920, Paydroid | 2024-11-21 | 7.6 High |
| PAX A920 device allows to downgrade bootloader due to a bug in its version check. The signature is correctly checked and only bootloader signed by PAX can be used. The attacker must have physical USB access to the device in order to exploit this vulnerability. | ||||
| CVE-2023-4767 | 1 Zohocorp | 1 Manageengine Desktop Central | 2024-11-21 | 6.1 Medium |
| A CRLF injection vulnerability has been found in ManageEngine Desktop Central affecting version 9.1.0. This vulnerability could allow a remote attacker to inject arbitrary HTTP headers and perform HTTP response splitting attacks via the fileName parameter in /STATE_ID/1613157927228/InvSWMetering.csv. | ||||
| CVE-2023-4478 | 1 Mattermost | 1 Mattermost Server | 2024-11-21 | 4.3 Medium |
| Mattermost fails to restrict which parameters' values it takes from the request during signup allowing an attacker to register users as inactive, thus blocking them from later accessing Mattermost without the system admin activating their accounts. | ||||
| CVE-2023-4450 | 1 Jeecg | 1 Jimureport | 2024-11-21 | 6.3 Medium |
| A vulnerability was found in jeecgboot JimuReport up to 1.6.0. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the component Template Handler. The manipulation leads to injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 1.6.1 is able to address this issue. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-237571. | ||||
| CVE-2023-4393 | 1 Liquidfiles | 1 Liquidfiles | 2024-11-21 | 5.4 Medium |
| HTML and SMTP injections on the registration page of LiquidFiles versions 3.7.13 and below, allow an attacker to perform more advanced phishing attacks against an organization. | ||||
| CVE-2023-4197 | 1 Dolibarr | 1 Dolibarr Erp\/crm | 2024-11-21 | 7.5 High |
| Improper input validation in Dolibarr ERP CRM <= v18.0.1 fails to strip certain PHP code from user-supplied input when creating a Website, allowing an attacker to inject and evaluate arbitrary PHP code. | ||||
| CVE-2023-4157 | 1 Omeka | 2 Omeka, Omeka S | 2024-11-21 | 5.2 Medium |
| CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') in GitHub repository omeka/omeka-s prior to version 4.0.3. | ||||
| CVE-2023-49964 | 1 Hyland | 1 Alfresco Content Services | 2024-11-21 | 8.8 High |
| An issue was discovered in Hyland Alfresco Community Edition through 7.2.0. By inserting malicious content in the folder.get.html.ftl file, an attacker may perform SSTI (Server-Side Template Injection) attacks, which can leverage FreeMarker exposed objects to bypass restrictions and achieve RCE (Remote Code Execution). NOTE: this issue exists because of an incomplete fix for CVE-2020-12873. | ||||
| CVE-2023-49328 | 2 Linux, Wolterskluwer | 2 Linux Kernel, B.point | 2024-11-21 | 7.2 High |
| On a Wolters Kluwer B.POINT 23.70.00 server running Linux on premises, during the authentication phase, a validated system user can achieve remote code execution via Argument Injection in the server-to-server module. | ||||
| CVE-2023-49214 | 1 Usedesk | 1 Usedesk | 2024-11-21 | 9.8 Critical |
| Usedesk before 1.7.57 allows chat template injection. | ||||
| CVE-2023-48841 | 1 Phpjabbers | 1 Appointment Scheduler | 2024-11-21 | 8.8 High |
| Appointment Scheduler 3.0 is vulnerable to CSV Injection via a Language > Labels > Export action. | ||||
| CVE-2023-48835 | 1 Phpjabbers | 1 Car Rental Script | 2024-11-21 | 8.8 High |
| Car Rental Script v3.0 is vulnerable to CSV Injection via a Language > Labels > Export action. | ||||
| CVE-2023-48830 | 1 Phpjabbers | 1 Shuttle Booking Software | 2024-11-21 | 8.8 High |
| Shuttle Booking Software 2.0 is vulnerable to CSV Injection in the Languages section via an export. | ||||
| CVE-2023-48826 | 1 Phpjabbers | 1 Time Slots Booking Calendar | 2024-11-21 | 8.8 High |
| Time Slots Booking Calendar 4.0 is vulnerable to CSV Injection via the unique ID field of the Reservations List. | ||||