Lista CVE - 2023 / Gennaio
Visualizzazione 2301 - 2351 di 2351 CVE per Gennaio 2023 (Pagina 24 di 24)
| ID CVE | Data | Titolo |
|---|---|---|
| CVE-2020-20402 | 2023-01-31 | Westbrookadmin portfolioCMS v1.05 allows attackers to bypass password validation and access sensitive information via session fixation. |
| CVE-2022-30421 | 2023-01-31 | Improper Authentication vulnerability in Toshiba Storage Security Software V1.2.0.7413 is that allows for sensitive information to be obtained via(local) password authentication module. |
| CVE-2022-32984 | 2023-01-31 | BTCPay Server 1.3.0 through 1.5.3 allows a remote attacker to obtain sensitive information when a public Point of Sale app is exposed. The sensitive information, found in the HTML source... |
| CVE-2022-39059 | 2023-01-31 | ChangingTec MegaServiSignAdapter - Path Traversal |
| CVE-2022-39060 | 2023-01-31 | ChangingTec MegaServiSignAdapter - Improper Input Validation |
| CVE-2022-39061 | 2023-01-31 | ChangingTec MegaServiSignAdapter - Out-of-bounds Read |
| CVE-2022-44897 | 2023-01-31 | A cross-site scripting (XSS) vulnerability in ApolloTheme AP PageBuilder component through 2.4.4 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the show_number parameter. |
| CVE-2022-45172 | 2023-01-31 | An issue was discovered in LIVEBOX Collaboration vDesk before v018. Broken Access Control can occur under the /api/v1/registration/validateEmail endpoint, the /api/v1/vdeskintegration/user/adduser endpoint, and the /api/v1/registration/changePasswordUser endpoint. The web application is... |
| CVE-2022-45297 | 2023-01-31 | EQ v1.5.31 to v2.2.0 was discovered to contain a SQL injection vulnerability via the UserPwd parameter. |
| CVE-2022-45435 | 2023-01-31 | SailPoint IdentityIQ Access Control Bypass |
| CVE-2022-45494 | 2023-01-31 | Buffer overflow vulnerability in function json_parse_object in sheredom json.h before commit 0825301a07cbf51653882bf2b153cc81fdadf41 (November 14, 2022) allows attackers to code arbitrary code and gain escalated privileges. |
| CVE-2022-45598 | 2023-01-31 | Cross Site Scripting vulnerability in Joplin Desktop App before v2.9.17 allows attacker to execute arbitrary code via improper santization. |
| CVE-2022-45789 | 2023-01-31 | A CWE-294: Authentication Bypass by Capture-replay vulnerability exists that could cause execution of unauthorized Modbus functions on the controller when hijacking an authenticated Modbus session. Affected Products: EcoStruxure Control Expert... |
| CVE-2022-46835 | 2023-01-31 | SailPoint IdentityIQ JavaServer File Path Traversal Vulnerability |
| CVE-2022-47035 | 2023-01-31 | Buffer Overflow Vulnerability in D-Link DIR-825 v1.33.0.44ebdd4-embedded and below allows attacker to execute arbitrary code via the GetConfig method to the /CPE endpoint. |
| CVE-2022-47697 | 2023-01-31 | COMFAST (Shenzhen Sihai Zhonglian Network Technology Co., Ltd) CF-WR623N Router firmware V2.3.0.1 and before is vulnerable to Account takeover. Anyone can reset the password of the admin accounts. |
| CVE-2022-47698 | 2023-01-31 | COMFAST (Shenzhen Sihai Zhonglian Network Technology Co., Ltd) CF-WR623N Router firmware V2.3.0.1 is vulnerable to Cross Site Scripting (XSS) via the URL filtering feature in the router. |
| CVE-2022-47699 | 2023-01-31 | COMFAST (Shenzhen Sihai Zhonglian Network Technology Co., Ltd) CF-WR623N Router firmware V2.3.0.1 is vulnerable to Incorrect Access Control. |
| CVE-2022-47700 | 2023-01-31 | COMFAST (Shenzhen Sihai Zhonglian Network Technology Co., Ltd) CF-WR623N Router firmware V2.3.0.1 and before is vulnerable to Incorrect Access Control. Improper authentication allows requests to be made to back-end scripts... |
| CVE-2022-47701 | 2023-01-31 | COMFAST (Shenzhen Sihai Zhonglian Network Technology Co., Ltd) CF-WR623N Router firmware V2.3.0.1 is vulnerable to Cross Site Scripting (XSS). |
| CVE-2022-47780 | 2023-01-31 | SQL Injection vulnerability in Bangresto 1.0 via the itemID parameter. |
| CVE-2022-47854 | 2023-01-31 | i-librarian 4.10 is vulnerable to Arbitrary file upload in ajaxsupplement.php. |
| CVE-2022-47873 | 2023-01-31 | Netcad KEOS 1.0 is vulnerable to XML External Entity (XXE) resulting in SSRF with XXE (remote). |
| CVE-2022-48161 | 2023-01-31 | Easy Images v2.0 was discovered to contain an arbitrary file download vulnerability via the component /application/down.php. This vulnerability is exploited via a crafted GET request. |
| CVE-2022-4898 | 2023-01-31 | In affected versions of Octopus Server the help sidebar can be customized to include a Cross-Site Scripting payload in the support link. This was initially resolved in advisory 2022-07 however... |
| CVE-2023-22610 | 2023-01-31 | A CWE-863: Incorrect Authorization vulnerability exists that could cause Denial of Service against the Geo SCADA server when specific messages are sent to the server over the database server TCP... |
| CVE-2023-22611 | 2023-01-31 | A CWE-200: Exposure of Sensitive Information to an Unauthorized Actor vulnerability exists that could cause information disclosure when specific messages are sent to the server over the database server TCP... |
| CVE-2023-22900 | 2023-01-31 | Thinking Software Technology Co., Ltd. Efence - SQL Injection |
| CVE-2023-24162 | 2023-01-31 | Deserialization vulnerability in Dromara Hutool v5.8.11 allows attacker to execute arbitrary code via the XmlUtil.readObjectFromXml parameter. |
| CVE-2023-24163 | 2023-01-31 | SQL Inection vulnerability in Dromara hutool before 5.8.21 allows attacker to execute arbitrary code via the aviator template engine. |
| CVE-2023-24241 | 2023-01-31 | Forget Heart Message Box v1.1 was discovered to contain a SQL injection vulnerability via the name parameter at /admin/loginpost.php. |
| CVE-2023-24956 | 2023-01-31 | Forget Heart Message Box v1.1 was discovered to contain a SQL injection vulnerability via the name parameter at /cha.php. |
| CVE-2022-40258 | 2023-01-31 | Weak password hashes for Redfish & API |
| CVE-2022-4041 | 2023-01-31 | Privilege Escalation Vulnerability in Hitachi Storage Plug-in for VMware vCenter |
| CVE-2022-4441 | 2023-01-31 | Privilege Escalation Vulnerability in Hitachi Storage Plug-in for VMware vCenter |
| CVE-2022-25881 | 2023-01-31 | This affects versions of the package http-cache-semantics before 4.1.1. The issue can be exploited via malicious request header values sent to a server, when that server reads the cache policy... |
| CVE-2022-21129 | 2023-01-31 | Versions of the package nemo-appium before 0.0.9 are vulnerable to Command Injection due to improper input sanitization in the 'module.exports.setup' function. **Note:** In order to exploit this vulnerability appium-running 0.1.3... |
| CVE-2022-25979 | 2023-01-31 | Versions of the package jsuites before 5.0.1 are vulnerable to Cross-site Scripting (XSS) due to improper user-input sanitization in the Editor() function. |
| CVE-2023-0591 | 2023-01-31 | Path Traversal in ubi_reader |
| CVE-2023-24829 | 2023-01-31 | Apache IoTDB Workbench: apache/iotdb-web-workbench: forge the JWTToken to access workbench |
| CVE-2023-0592 | 2023-01-31 | Path traversal in jefferson |
| CVE-2023-0593 | 2023-01-31 | Path traversal in yaffshiv |
| CVE-2022-44645 | 2023-01-31 | Apache Linkis (incubating): The DatasourceManager module has a serialization attack vulnerability |
| CVE-2022-44644 | 2023-01-31 | Apache Linkis (incubating): The DatasourceManager module has a Local File Read Vulnerability |
| CVE-2022-24963 | 2023-01-31 | Apache Portable Runtime (APR): out-of-bound writes in the apr_encode family of functions |
| CVE-2022-25147 | 2023-01-31 | Apache Portable Runtime Utility (APR-util): out-of-bounds writes in the apr_base64 family of functions |
| CVE-2022-28331 | 2023-01-31 | Apache Portable Runtime (APR): Windows out-of-bounds write in apr_socket_sendv function |
| CVE-2016-15023 | 2023-01-31 | SiteFusion Application Server Extension getextension.php path traversal |
| CVE-2023-0341 | 2023-01-31 | Stack Buffer Overflow in editorconfig-core-c |
| CVE-2023-23924 | 2023-01-31 | URI validation failure on SVG parsing in Dompdf |
| CVE-2022-47002 | 2023-02-01 | A vulnerability in the Remember Me function of Masa CMS v7.2, 7.3, and 7.4-beta allows attackers to bypass authentication via a crafted web request. |
| CVE-2022-47872 | 2023-02-01 | A Server-Side Request Forgery (SSRF) in maccms10 v2021.1000.2000 allows attackers to force the application to make arbitrary requests via a crafted payload injected into the Name parameter under the Interface... |
| CVE-2023-23126 | 2023-02-01 | Connectwise Automate 2022.11 is vulnerable to Clickjacking. The login screen can be iframed and used to manipulate users to perform unintended actions. NOTE: the vendor's position is that a Content-Security-Policy... |
| CVE-2023-23127 | 2023-02-01 | In Connectwise Control 22.8.10013.8329, the login page does not implement HSTS headers therefore not enforcing HTTPS. NOTE: the vendor's position is that, by design, this is controlled by a configuration... |
| CVE-2023-23130 | 2023-02-01 | Connectwise Automate 2022.11 is vulnerable to Cleartext authentication. Authentication is being done via HTTP (cleartext) with SSL disabled. OTE: the vendor's position is that, by design, this is controlled by... |
| CVE-2021-22786 | 2023-02-01 | A CWE-200: Information Exposure vulnerability exists that could cause the exposure of sensitive information stored on the memory of the controller when communicating over the Modbus TCP protocol. Affected Products:... |
| CVE-2022-2329 | 2023-02-01 | A CWE-190: Integer Overflow or Wraparound vulnerability exists that could cause heap-based buffer overflow, leading to denial of service and potentially remote code execution when an attacker sends multiple specially... |
| CVE-2022-24324 | 2023-02-01 | A CWE-120: Buffer Copy without Checking Size of Input vulnerability exists that could cause a stack-based buffer overflow potentially leading to remote code execution when an attacker sends a specially... |
| CVE-2022-30904 | 2023-02-01 | In Bestechnic Bluetooth Mesh SDK (BES2300) V1.0, a buffer overflow vulnerability can be triggered during provisioning, because there is no check for the SegN field of the Transaction Start PDU. |
| CVE-2022-31363 | 2023-02-01 | Cypress : https://www.infineon.com/ Cypress Bluetooth Mesh SDK BSA0107_05.01.00-BX8-AMESH-08 is affected by: Buffer Overflow. The impact is: execute arbitrary code (remote). The component is: affected function is pb_transport_handle_frag_. ¶¶ In Cypress... |
| CVE-2022-31364 | 2023-02-01 | Cypress : https://www.infineon.com/ Cypress Bluetooth Mesh SDK BSA0107_05.01.00-BX8-AMESH-08 is affected by: Buffer Overflow. The impact is: execute arbitrary code (remote). The component is: affected function is lower_transport_layer_on_seg. ¶¶ In Cypress... |
| CVE-2022-31902 | 2023-02-01 | Notepad++ v8.4.1 was discovered to contain a stack overflow via the component Finder::add(). |
| CVE-2022-37033 | 2023-02-01 | In dotCMS 5.x-22.06, TempFileAPI allows a user to create a temporary file based on a passed in URL, while attempting to block any SSRF access to local IP addresses or... |
| CVE-2022-37034 | 2023-02-01 | In dotCMS 5.x-22.06, it is possible to call the TempResource multiple times, each time requesting the dotCMS server to download a large file. If done repeatedly, this will result in... |
| CVE-2022-4062 | 2023-02-01 | A CWE-285: Improper Authorization vulnerability exists that could cause unauthorized access to certain software functions when an attacker gets access to localhost interface of the EcoStruxure Power Commission application. Affected... |
| CVE-2022-4206 | 2023-02-01 | A sensitive information leak issue has been discovered in all versions of DAST API scanner from 1.6.50 prior to 2.0.102, exposing the Authorization header in the vulnerability report |
| CVE-2022-4254 | 2023-02-01 | sssd: libsss_certmap fails to sanitise certificate data used in LDAP filters |
| CVE-2022-42970 | 2023-02-01 | A CWE-306: Missing Authentication for Critical Function The software does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources. Affected... |
| CVE-2022-42971 | 2023-02-01 | A CWE-434: Unrestricted Upload of File with Dangerous Type vulnerability exists that could cause remote code execution when the attacker uploads a malicious JSP file. Affected Products: APC Easy UPS... |
| CVE-2022-42972 | 2023-02-01 | A CWE-732: Incorrect Permission Assignment for Critical Resource vulnerability exists that could cause local privilege escalation when a local attacker modifies the webroot directory. Affected Products: APC Easy UPS Online... |
| CVE-2022-42973 | 2023-02-01 | A CWE-798: Use of Hard-coded Credentials vulnerability exists that could cause local privilege escalation when local attacker connects to the database. Affected Products: APC Easy UPS Online Monitoring Software (Windows... |
| CVE-2022-45782 | 2023-02-01 | An issue was discovered in dotCMS core 5.3.8.5 through 5.3.8.15 and 21.03 through 22.10.1. A cryptographically insecure random generation algorithm for password-reset token generation leads to account takeover. |
| CVE-2022-45783 | 2023-02-01 | An issue was discovered in dotCMS core 4.x through 22.10.2. An authenticated directory traversal vulnerability in the dotCMS API can lead to Remote Code Execution. |
| CVE-2022-46934 | 2023-02-01 | kkFileView v4.1.0 was discovered to contain a cross-site scripting (XSS) vulnerability via the url parameter at /controller/OnlinePreviewController.java. |
| CVE-2022-47003 | 2023-02-01 | A vulnerability in the Remember Me function of Mura CMS before v10.0.580 allows attackers to bypass authentication via a crafted web request. |
| CVE-2022-47714 | 2023-02-01 | Last Yard 22.09.8-1 does not enforce HSTS headers |
| CVE-2022-47715 | 2023-02-01 | In Last Yard 22.09.8-1, the cookie can be stolen via via unencrypted traffic. |
| CVE-2022-47717 | 2023-02-01 | Last Yard 22.09.8-1 is vulnerable to Cross-origin resource sharing (CORS). |
| CVE-2022-47768 | 2023-02-01 | Serenissima Informatica Fast Checkin 1.0 is vulnerable to Directory Traversal. |
| CVE-2022-47769 | 2023-02-01 | An arbitrary file write vulnerability in Serenissima Informatica Fast Checkin v1.0 allows unauthenticated attackers to upload malicious files in the web root of the application to gain access to the... |
| CVE-2022-47770 | 2023-02-01 | Serenissima Informatica Fast Checkin version v1.0 is vulnerable to Unauthenticated SQL Injection. |
| CVE-2022-48093 | 2023-02-01 | Seacms v12.7 was discovered to contain a remote code execution (RCE) vulnerability via the ip parameter at admin_ ip.php. |
| CVE-2022-48094 | 2023-02-01 | lmxcms v1.41 was discovered to contain an arbitrary file read vulnerability via TemplateAction.class.php. |
| CVE-2023-0454 | 2023-02-01 | OrangeScrum version 2.0.11 allows an authenticated external attacker to delete arbitrary local files from the server. This is possible because the application uses an unsanitized attacker-controlled parameter to construct an... |
| CVE-2023-0524 | 2023-02-01 | As part of our Security Development Lifecycle, a potential privilege escalation issue was identified internally. This could allow a malicious actor with sufficient permissions to modify environment variables and abuse... |
| CVE-2023-0587 | 2023-02-01 | A file upload vulnerability in exists in Trend Micro Apex One server build 11110. Using a malformed Content-Length header in an HTTP PUT message sent to URL /officescan/console/html/cgi/fcgiOfcDDA.exe, an unauthenticated... |
| CVE-2023-0606 | 2023-02-01 | Cross-site Scripting (XSS) - Reflected in ampache/ampache |
| CVE-2023-0607 | 2023-02-01 | Cross-site Scripting (XSS) - Stored in projectsend/projectsend |
| CVE-2023-0608 | 2023-02-01 | Cross-site Scripting (XSS) - DOM in microweber/microweber |
| CVE-2023-0609 | 2023-02-01 | Improper Authorization in wallabag/wallabag |
| CVE-2023-0610 | 2023-02-01 | Improper Authorization in wallabag/wallabag |
| CVE-2023-20856 | 2023-02-01 | VMware vRealize Operations (vROps) contains a CSRF bypass vulnerability. A malicious user could execute actions on the vROps platform on behalf of the authenticated victim user. |
| CVE-2023-23073 | 2023-02-01 | Cross site scripting (XSS) vulnerability in Zoho ManageEngine ServiceDesk Plus 14 via PO in the purchase component. |
| CVE-2023-23074 | 2023-02-01 | Cross site scripting (XSS) vulnerability in Zoho ManageEngine ServiceDesk Plus 14 via embedding videos in the language component. |
| CVE-2023-23075 | 2023-02-01 | Cross Site Scripting (XSS) vulnerability in Zoho Asset Explorer 6.9 via the credential name when creating a new Assets Workstation. |
| CVE-2023-23076 | 2023-02-01 | OS Command injection vulnerability in Support Center Plus 11 via Executor in Action when creating new schedules. |
| CVE-2023-23077 | 2023-02-01 | Cross site scripting (XSS) vulnerability in Zoho ManageEngine ServiceDesk Plus 13 via the comment field when adding a new status comment. |
| CVE-2023-23078 | 2023-02-01 | Cross site scripting (XSS) vulnerability in Zoho ManageEngine ServiceDesk Plus 14 via the comment field when changing the credentials in the Assets. |
| CVE-2023-23128 | 2023-02-01 | Connectwise Control 22.8.10013.8329 is vulnerable to Cross Origin Resource Sharing (CORS). The vendor's position is that two endpoints have Access-Control-Allow-Origin wildcarding to support product functionality, and that there is no... |
| CVE-2023-23131 | 2023-02-01 | Selfwealth iOS mobile App 3.3.1 is vulnerable to Insecure App Transport Security (ATS) Settings. |