Lista CVE - 2023 / Gennaio
Visualizzazione 1801 - 1900 di 2351 CVE per Gennaio 2023 (Pagina 19 di 24)
| ID CVE | Data | Titolo |
|---|---|---|
| CVE-2023-20922 | 2023-01-24 | In setMimeGroup of PackageManagerService.java, there is a possible crash loop due to resource exhaustion. This could lead to local denial of service with no additional execution privileges needed. User interaction... |
| CVE-2023-20923 | 2023-01-24 | In exported content providers of ShannonRcs, there is a possible way to get access to protected content providers due to a permissions bypass. This could lead to local information disclosure... |
| CVE-2023-20924 | 2023-01-24 | In (TBD) of (TBD), there is a possible way to bypass the lockscreen due to Biometric Auth Failure. This could lead to local escalation of privilege with physical access to... |
| CVE-2023-20925 | 2023-01-24 | In setUclampMinLocked of PowerSessionManager.cpp, there is a possible way to corrupt memory due to a use after free. This could lead to local escalation of privilege with no additional execution... |
| CVE-2023-20928 | 2023-01-24 | In binder_vma_close of binder.c, there is a possible use after free due to improper locking. This could lead to local escalation of privilege with no additional execution privileges needed. User... |
| CVE-2023-23331 | 2023-01-24 | Amano Xoffice parking solutions 7.1.3879 is vulnerable to SQL Injection. |
| CVE-2023-23949 | 2023-01-24 | An authenticated user can supply malicious HTML and JavaScript code that will be executed in the client browser. |
| CVE-2023-23950 | 2023-01-24 | User’s supplied input (usually a CRLF sequence) can be used to split a returning response into two responses. |
| CVE-2023-23951 | 2023-01-24 | Ability to enumerate the Oracle LDAP attributes for the current user by modifying the query used by the application |
| CVE-2023-24057 | 2023-01-24 | HL7 (Health Level 7) FHIR Core Libraries before 5.6.92 allow attackers to extract files into arbitrary directories via directory traversal from a crafted ZIP or TGZ archive (for a prepackaged... |
| CVE-2023-24422 | 2023-01-24 | A sandbox bypass vulnerability involving map constructors in Jenkins Script Security Plugin 1228.vd93135a_2fb_25 and earlier allows attackers with permission to define and run sandboxed scripts, including Pipelines, to bypass the... |
| CVE-2023-24423 | 2023-01-24 | A cross-site request forgery (CSRF) vulnerability in Jenkins Gerrit Trigger Plugin 2.38.0 and earlier allows attackers to rebuild previous builds triggered by Gerrit. |
| CVE-2023-24424 | 2023-01-24 | Jenkins OpenId Connect Authentication Plugin 2.4 and earlier does not invalidate the previous session on login. |
| CVE-2023-24425 | 2023-01-24 | Jenkins Kubernetes Credentials Provider Plugin 1.208.v128ee9800c04 and earlier does not set the appropriate context for Kubernetes credentials lookup, allowing attackers with Item/Configure permission to access and potentially capture Kubernetes credentials... |
| CVE-2023-24426 | 2023-01-24 | Jenkins Azure AD Plugin 303.va_91ef20ee49f and earlier does not invalidate the previous session on login. |
| CVE-2023-24427 | 2023-01-24 | Jenkins Bitbucket OAuth Plugin 0.12 and earlier does not invalidate the previous session on login. |
| CVE-2023-24428 | 2023-01-24 | A cross-site request forgery (CSRF) vulnerability in Jenkins Bitbucket OAuth Plugin 0.12 and earlier allows attackers to trick users into logging in to the attacker's account. |
| CVE-2023-24429 | 2023-01-24 | Jenkins Semantic Versioning Plugin 1.14 and earlier does not restrict execution of an controller/agent message to agents, and implements no limitations about the file path that can be parsed, allowing... |
| CVE-2023-24430 | 2023-01-24 | Jenkins Semantic Versioning Plugin 1.14 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. |
| CVE-2023-24431 | 2023-01-24 | A missing permission check in Jenkins Orka by MacStadium Plugin 1.31 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. |
| CVE-2023-24432 | 2023-01-24 | A cross-site request forgery (CSRF) vulnerability in Jenkins Orka by MacStadium Plugin 1.31 and earlier allows attackers to connect to an attacker-specified HTTP server using attacker-specified credentials IDs obtained through... |
| CVE-2023-24433 | 2023-01-24 | Missing permission checks in Jenkins Orka by MacStadium Plugin 1.31 and earlier allow attackers with Overall/Read permission to connect to an attacker-specified HTTP server using attacker-specified credentials IDs obtained through... |
| CVE-2023-24434 | 2023-01-24 | A cross-site request forgery (CSRF) vulnerability in Jenkins GitHub Pull Request Builder Plugin 1.42.2 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through... |
| CVE-2023-24435 | 2023-01-24 | A missing permission check in Jenkins GitHub Pull Request Builder Plugin 1.42.2 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained... |
| CVE-2023-24436 | 2023-01-24 | A missing permission check in Jenkins GitHub Pull Request Builder Plugin 1.42.2 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. |
| CVE-2023-24437 | 2023-01-24 | A cross-site request forgery (CSRF) vulnerability in Jenkins JIRA Pipeline Steps Plugin 2.0.165.v8846cf59f3db and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another... |
| CVE-2023-24438 | 2023-01-24 | A missing permission check in Jenkins JIRA Pipeline Steps Plugin 2.0.165.v8846cf59f3db and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through... |
| CVE-2023-24439 | 2023-01-24 | Jenkins JIRA Pipeline Steps Plugin 2.0.165.v8846cf59f3db and earlier stores the private keys unencrypted in its global configuration file on the Jenkins controller where it can be viewed by users with... |
| CVE-2023-24440 | 2023-01-24 | Jenkins JIRA Pipeline Steps Plugin 2.0.165.v8846cf59f3db and earlier transmits the private key in plain text as part of the global Jenkins configuration form, potentially resulting in their exposure. |
| CVE-2023-24441 | 2023-01-24 | Jenkins MSTest Plugin 1.0.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. |
| CVE-2023-24442 | 2023-01-24 | Jenkins GitHub Pull Request Coverage Status Plugin 2.2.0 and earlier stores the GitHub Personal Access Token, Sonar access token and Sonar password unencrypted in its global configuration file on the... |
| CVE-2023-24443 | 2023-01-24 | Jenkins TestComplete support Plugin 2.8.1 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. |
| CVE-2023-24444 | 2023-01-24 | Jenkins OpenID Plugin 2.4 and earlier does not invalidate the previous session on login. |
| CVE-2023-24445 | 2023-01-24 | Jenkins OpenID Plugin 2.4 and earlier improperly determines that a redirect URL after login is legitimately pointing to Jenkins. |
| CVE-2023-24446 | 2023-01-24 | A cross-site request forgery (CSRF) vulnerability in Jenkins OpenID Plugin 2.4 and earlier allows attackers to trick users into logging in to the attacker's account. |
| CVE-2023-24447 | 2023-01-24 | A cross-site request forgery (CSRF) vulnerability in Jenkins RabbitMQ Consumer Plugin 2.8 and earlier allows attackers to connect to an attacker-specified AMQP(S) URL using attacker-specified username and password. |
| CVE-2023-24448 | 2023-01-24 | A missing permission check in Jenkins RabbitMQ Consumer Plugin 2.8 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified AMQP(S) URL using attacker-specified username and password. |
| CVE-2023-24449 | 2023-01-24 | Jenkins PWauth Security Realm Plugin 0.4 and earlier does not restrict the names of files in methods implementing form validation, allowing attackers with Overall/Read permission to check for the existence... |
| CVE-2023-24450 | 2023-01-24 | Jenkins view-cloner Plugin 1.1 and earlier stores passwords unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Extended Read permission, or access... |
| CVE-2023-24452 | 2023-01-24 | A cross-site request forgery (CSRF) vulnerability in Jenkins TestQuality Updater Plugin 1.3 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified username and password. |
| CVE-2023-24453 | 2023-01-24 | A missing check in Jenkins TestQuality Updater Plugin 1.3 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified username and password. |
| CVE-2023-24454 | 2023-01-24 | Jenkins TestQuality Updater Plugin 1.3 and earlier stores the TestQuality Updater password unencrypted in its global configuration file on the Jenkins controller where it can be viewed by users with... |
| CVE-2023-24455 | 2023-01-24 | Jenkins visualexpert Plugin 1.3 and earlier does not restrict the names of files in methods implementing form validation, allowing attackers with Item/Configure permission to check for the existence of an... |
| CVE-2023-24456 | 2023-01-24 | Jenkins Keycloak Authentication Plugin 2.3.0 and earlier does not invalidate the previous session on login. |
| CVE-2023-24457 | 2023-01-24 | A cross-site request forgery (CSRF) vulnerability in Jenkins Keycloak Authentication Plugin 2.3.0 and earlier allows attackers to trick users into logging in to the attacker's account. |
| CVE-2023-24458 | 2023-01-24 | A cross-site request forgery (CSRF) vulnerability in Jenkins BearyChat Plugin 3.0.2 and earlier allows attackers to connect to an attacker-specified URL. |
| CVE-2023-24459 | 2023-01-24 | A missing permission check in Jenkins BearyChat Plugin 3.0.2 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL. |
| CVE-2023-22485 | 2023-01-24 | cmark-gfm out-of-bounds read in validate_protocol |
| CVE-2023-22486 | 2023-01-24 | cmark-gfm Quadratic complexity bug in handle_close_bracket may lead to a denial of service |
| CVE-2023-23608 | 2023-01-24 | spotipy Path traversal vulnerability that may lead to type confusion in URI handling code |
| CVE-2022-25350 | 2023-01-24 | All versions of the package puppet-facter are vulnerable to Command Injection via the getFact function due to improper input sanitization. |
| CVE-2022-25908 | 2023-01-24 | All versions of the package create-choo-electron are vulnerable to Command Injection via the devInstall function due to improper user-input sanitization. |
| CVE-2022-25860 | 2023-01-24 | Versions of the package simple-git before 3.16.0 are vulnerable to Remote Code Execution (RCE) via the clone(), pull(), push() and listRemote() methods, due to improper input sanitization. This vulnerability exists... |
| CVE-2022-47615 | 2023-01-24 | WordPress LearnPress Plugin <= 4.1.7.3.2 is vulnerable to Local File Inclusion |
| CVE-2022-45808 | 2023-01-24 | WordPress LearnPress Plugin <= 4.1.7.3.2 is vulnerable to SQL Injection |
| CVE-2022-45820 | 2023-01-24 | WordPress LearnPress Plugin <= 4.1.7.3.2 is vulnerable to SQL Injection |
| CVE-2023-0284 | 2023-01-24 | Improper validation of LDAP user IDs |
| CVE-2023-24022 | 2023-01-24 | Hard Coded Credential Crypt Vulnerability |
| CVE-2023-0463 | 2023-01-24 | The force offline MFA prompt setting is not respected when switching to offline mode in Devolutions Remote Desktop Manager 2022.3.29 to 2022.3.30 allows a user to save sensitive data on... |
| CVE-2023-0356 | 2023-01-24 | SOCOMEC MODULYS GP Netvision versions 7.20 and prior lack strong encryption for credentials on HTTP connections, which could result in threat actors obtaining sensitive information. |
| CVE-2023-23613 | 2023-01-24 | Field-level security issue with .keyword fields in OpenSearch |
| CVE-2023-23612 | 2023-01-24 | Issue with whitespace in JWT roles in OpenSearch |
| CVE-2023-24508 | 2023-01-24 | Remote Code Execution in Baicells RTS Platform |
| CVE-2018-25078 | 2023-01-25 | man-db before 2.8.5 on Gentoo allows local users (with access to the man user account) to gain root privileges because /usr/bin/mandb is executed by root but not owned by root.... |
| CVE-2020-18329 | 2023-01-25 | An issue was discovered in Rehau devices that use a pCOWeb card BIOS v6.27, BOOT v5.00, web version v2.2, allows attackers to gain full unauthenticated access to the configuration and... |
| CVE-2020-18330 | 2023-01-25 | An issue was discovered in the default configuration of ChinaMobile PLC Wireless Router model GPN2.4P21-C-CN running the firmware version W2000EN-01(hardware platform Gpn2.4P21-C_WIFI-V0.05), allows attackers to gain access to the configuration... |
| CVE-2020-18331 | 2023-01-25 | Directory traversal vulnerability in ChinaMobile PLC Wireless Router model GPN2.4P21-C-CN running the firmware version W2000EN-01(hardware platform Gpn2.4P21-C_WIFI-V0.05), via the getpage parameter to /cgi-bin/webproc. |
| CVE-2020-36657 | 2023-01-25 | uptimed before 0.4.6-r1 on Gentoo allows local users (with access to the uptimed user account) to gain root privileges by creating a hard link within the /var/spool/uptimed directory, because there... |
| CVE-2022-29843 | 2023-01-25 | Western Digital My Cloud OS 5 devices Command Injection Vulnerability |
| CVE-2022-29844 | 2023-01-25 | Western Digital My Cloud OS 5 arbitrary file read and write vulnerability via ftp |
| CVE-2022-31704 | 2023-01-25 | The vRealize Log Insight contains a broken access control vulnerability. An unauthenticated malicious actor can remotely inject code into sensitive files of an impacted appliance which can result in remote... |
| CVE-2022-31706 | 2023-01-25 | The vRealize Log Insight contains a Directory Traversal Vulnerability. An unauthenticated, malicious actor can inject files into the operating system of an impacted appliance which can result in remote code... |
| CVE-2022-31710 | 2023-01-25 | vRealize Log Insight contains a deserialization vulnerability. An unauthenticated malicious actor can remotely trigger the deserialization of untrusted data which could result in a denial of service. |
| CVE-2022-31711 | 2023-01-25 | VMware vRealize Log Insight contains an Information Disclosure Vulnerability. A malicious actor can remotely collect sensitive session and application information without authentication. |
| CVE-2022-38758 | 2023-01-25 | XSS vulnerabilities in iManager |
| CVE-2022-40035 | 2023-01-25 | File Upload Vulnerability found in Rawchen Blog-ssm v1.0 allowing attackers to execute arbitrary commands and gain escalated privileges via the /uploadFileList component. |
| CVE-2022-43997 | 2023-01-25 | Incorrect access control in Aternity agent in Riverbed Aternity before 12.1.4.27 allows for local privilege escalation. There is an insufficiently protected handle to the A180AG.exe SYSTEM process with PROCESS_ALL_ACCESS rights. |
| CVE-2022-44018 | 2023-01-25 | In Softing uaToolkit Embedded before 1.40.1, a malformed PubSub discovery announcement message can cause a NULL pointer dereference or out-of-bounds memory access in the subscriber application. |
| CVE-2022-45730 | 2023-01-25 | A cross-site scripting (XSS) vulnerability in Doctor Appointment Management System v1.0.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Search function. |
| CVE-2022-45920 | 2023-01-25 | In Softing uaToolkit Embedded before 1.41, a malformed CreateMonitoredItems request may cause a memory leak. |
| CVE-2022-46128 | 2023-01-25 | phpgurukul Doctor Appointment Management System V 1.0.0 is vulnerable to Cross Site Scripting (XSS) via searchdata=. |
| CVE-2022-46624 | 2023-01-25 | A cross-site scripting (XSS) vulnerability in Online Graduate Tracer System v1.0.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the name parameter. |
| CVE-2022-46957 | 2023-01-25 | Sourcecodester.com Online Graduate Tracer System V 1.0.0 is vulnerable to Cross Site Scripting (XSS). |
| CVE-2022-46998 | 2023-01-25 | An issue in the website background of taocms v3.0.2 allows attackers to execute a Server-Side Request Forgery (SSRF). |
| CVE-2022-46999 | 2023-01-25 | Tuzicms v2.0.6 was discovered to contain a SQL injection vulnerability via the component \App\Manage\Controller\UserController.class.php. |
| CVE-2022-47052 | 2023-01-25 | The web interface of the 'Nighthawk R6220 AC1200 Smart Wi-Fi Router' is vulnerable to a CRLF Injection attack that can be leveraged to perform Reflected XSS and HTML Injection. A... |
| CVE-2022-47073 | 2023-01-25 | A cross-site scripting (XSS) vulnerability in the Create Ticket page of Small CRM v3.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the... |
| CVE-2022-47767 | 2023-01-25 | A backdoor in Solar-Log Gateway products allows remote access via web panel gaining super administration privileges to the attacker. This affects Solar-Log devices that use firmware version v4.2.7 up to... |
| CVE-2023-0229 | 2023-01-25 | A flaw was found in github.com/openshift/apiserver-library-go, used in OpenShift 4.12 and 4.11, that contains an issue that can allow low-privileged users to set the seccomp profile for pods they control... |
| CVE-2023-0321 | 2023-01-25 | Disclosure of Sensitive Information on Campbell Scientific Products |
| CVE-2023-0468 | 2023-01-25 | A use-after-free flaw was found in io_uring/poll.c in io_poll_check_events in the io_uring subcomponent in the Linux Kernel due to a race condition of poll_refs. This flaw may cause a NULL... |
| CVE-2023-0469 | 2023-01-25 | A use-after-free flaw was found in io_uring/filetable.c in io_install_fixed_file in the io_uring subcomponent in the Linux Kernel during call cleanup. This flaw may lead to a denial of service. |
| CVE-2023-0476 | 2023-01-25 | A LDAP injection vulnerability exists in Tenable.sc due to improper validation of user-supplied input before returning it to users. An authenticated attacker could generate data in Active Directory using the... |
| CVE-2023-23151 | 2023-01-25 | bloofoxCMS v0.5.2.1 was discovered to contain an arbitrary file deletion vulnerability via the component /include/inc_content_media.php. |
| CVE-2023-24493 | 2023-01-25 | A formula injection vulnerability exists in Tenable.sc due to improper validation of user-supplied input before returning it to users. An authenticated attacker could leverage the reporting system to export reports... |
| CVE-2023-24494 | 2023-01-25 | A stored cross-site scripting (XSS) vulnerability exists in Tenable.sc due to improper validation of user-supplied input before returning it to users. An authenticated, remote attacker can exploit this by convincing... |
| CVE-2023-24495 | 2023-01-25 | A Server Side Request Forgery (SSRF) vulnerability exists in Tenable.sc due to improper validation of session & user-accessible input data. A privileged, authenticated remote attacker could interact with external and... |
| CVE-2022-25927 | 2023-01-25 | Versions of the package ua-parser-js from 0.7.30 and before 0.7.33, from 0.8.1 and before 1.0.33 are vulnerable to Regular Expression Denial of Service (ReDoS) via the trim() function. |
| CVE-2022-25847 | 2023-01-25 | All versions of the package serve-lite are vulnerable to Cross-site Scripting (XSS) because when it detects a request to a directory, it renders a file listing of all of its... |
| CVE-2022-21192 | 2023-01-25 | All versions of the package serve-lite are vulnerable to Directory Traversal due to missing input sanitization or other checks and protections employed to the req.url passed as-is to path.join(). |