Lista CVE - 2023 / Aprile
Visualizzazione 1001 - 1100 di 2302 CVE per Aprile 2023 (Pagina 11 di 24)
| ID CVE | Data | Titolo |
|---|---|---|
| CVE-2023-26852 | 2023-04-12 | An arbitrary file upload vulnerability in the upload plugin of Textpattern v4.8.8 and below allows attackers to execute arbitrary code by uploading a crafted PHP file. |
| CVE-2023-27032 | 2023-04-12 | Prestashop advancedpopupcreator v1.1.21 to v1.1.24 was discovered to contain a SQL injection vulnerability via the component AdvancedPopup::getPopups(). |
| CVE-2023-27216 | 2023-04-12 | An issue found in D-Link DSL-3782 v.1.03 allows remote authenticated users to execute arbitrary code as root via the network settings page. |
| CVE-2023-27703 | 2023-04-12 | The Android version of pikpak v1.29.2 was discovered to contain an information leak via the debug interface. |
| CVE-2023-27704 | 2023-04-12 | Void Tools Everything lower than v1.4.1.1022 was discovered to contain a Regular Expression Denial of Service (ReDoS). |
| CVE-2023-27775 | 2023-04-12 | A stored HTML injection vulnerability in LiveAction LiveSP v21.1.2 allows attackers to execute arbitrary code via a crafted payload. |
| CVE-2023-27826 | 2023-04-12 | SeowonIntech SWC 5100W WIMAX Bootloader 1.18.19.0, HW 0.0.7.0, and FW 1.11.0.1, 1.9.9.4 are vulnerable to OS Command Injection. which allows attackers to take over the system with root privilege by... |
| CVE-2023-27830 | 2023-04-12 | TightVNC before v2.8.75 allows attackers to escalate privileges on the host operating system via replacing legitimate files with crafted files when executing a file transfer. This is due to the... |
| CVE-2023-28488 | 2023-04-12 | client.c in gdhcp in ConnMan through 1.41 could be used by network-adjacent attackers (operating a crafted DHCP server) to cause a stack-based buffer overflow and denial of service, terminating the... |
| CVE-2023-29571 | 2023-04-12 | Cesanta MJS v2.20.0 was discovered to contain a SEGV vulnerability via gc_sweep at src/mjs_gc.c. This vulnerability can lead to a Denial of Service (DoS). |
| CVE-2023-29574 | 2023-04-12 | Bento4 v1.6.0-639 was discovered to contain an out-of-memory bug in the mp42avc component. |
| CVE-2023-29580 | 2023-04-12 | yasm 1.3.0.55.g101bc was discovered to contain a segmentation violation via the component yasm_expr_create at /libyasm/expr.c. |
| CVE-2023-30512 | 2023-04-12 | CubeFS through 3.2.1 allows Kubernetes cluster-level privilege escalation. This occurs because DaemonSet has cfs-csi-cluster-role and can thus list all secrets, including the admin secret. |
| CVE-2023-1829 | 2023-04-12 | Use-after-free in tcindex (traffic control index filter) in the Linux Kernel |
| CVE-2023-1874 | 2023-04-12 | The WP Data Access plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 5.3.7. This is due to a lack of authorization checks on the... |
| CVE-2022-47605 | 2023-04-12 | WordPress Custom 404 Pro Plugin <= 3.7.0 is vulnerable to SQL Injection (SQLi) |
| CVE-2023-1872 | 2023-04-12 | Use-after-free in Linux kernel's io_uring subsystem |
| CVE-2023-0004 | 2023-04-12 | PAN-OS: Local File Deletion Vulnerability |
| CVE-2023-0005 | 2023-04-12 | PAN-OS: Exposure of Sensitive Information Vulnerability |
| CVE-2023-0006 | 2023-04-12 | GlobalProtect App: Local File Deletion Vulnerability |
| CVE-2023-30513 | 2023-04-12 | Jenkins Kubernetes Plugin 3909.v1f2c633e8590 and earlier does not properly mask (i.e., replace with asterisks) credentials in the build log when push mode for durable task logging is enabled. |
| CVE-2023-30514 | 2023-04-12 | Jenkins Azure Key Vault Plugin 187.va_cd5fecd198a_ and earlier does not properly mask (i.e., replace with asterisks) credentials in the build log when push mode for durable task logging is enabled. |
| CVE-2023-30515 | 2023-04-12 | Jenkins Thycotic DevOps Secrets Vault Plugin 1.0.0 and earlier does not properly mask (i.e., replace with asterisks) credentials in the build log when push mode for durable task logging is... |
| CVE-2023-30516 | 2023-04-12 | Jenkins Image Tag Parameter Plugin 2.0 improperly introduces an option to opt out of SSL/TLS certificate validation when connecting to Docker registries, resulting in job configurations using Image Tag Parameters... |
| CVE-2023-30517 | 2023-04-12 | Jenkins NeuVector Vulnerability Scanner Plugin 1.22 and earlier unconditionally disables SSL/TLS certificate and hostname validation when connecting to a configured NeuVector Vulnerability Scanner server. |
| CVE-2023-30518 | 2023-04-12 | A missing permission check in Jenkins Thycotic Secret Server Plugin 1.0.2 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. |
| CVE-2023-30519 | 2023-04-12 | A missing permission check in Jenkins Quay.io trigger Plugin 0.1 and earlier allows unauthenticated attackers to trigger builds of jobs corresponding to the attacker-specified repository. |
| CVE-2023-30520 | 2023-04-12 | Jenkins Quay.io trigger Plugin 0.1 and earlier does not limit URL schemes for repository homepage URLs submitted via Quay.io trigger webhooks, resulting in a stored cross-site scripting (XSS) vulnerability exploitable... |
| CVE-2023-30521 | 2023-04-12 | A missing permission check in Jenkins Assembla merge request builder Plugin 1.1.13 and earlier allows unauthenticated attackers to trigger builds of jobs corresponding to the attacker-specified repository. |
| CVE-2023-30522 | 2023-04-12 | A missing permission check in Jenkins Fogbugz Plugin 2.2.17 and earlier allows attackers with Item/Read permission to trigger builds of jobs specified in a 'jobname' request parameter. |
| CVE-2023-30523 | 2023-04-12 | Jenkins Report Portal Plugin 0.5 and earlier stores ReportPortal access tokens unencrypted in job config.xml files on the Jenkins controller as part of its configuration where they can be viewed... |
| CVE-2023-30524 | 2023-04-12 | Jenkins Report Portal Plugin 0.5 and earlier does not mask ReportPortal access tokens displayed on the configuration form, increasing the potential for attackers to observe and capture them. |
| CVE-2023-30525 | 2023-04-12 | A cross-site request forgery (CSRF) vulnerability in Jenkins Report Portal Plugin 0.5 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified bearer token authentication. |
| CVE-2023-30526 | 2023-04-12 | A missing permission check in Jenkins Report Portal Plugin 0.5 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified bearer token authentication. |
| CVE-2023-30527 | 2023-04-12 | Jenkins WSO2 Oauth Plugin 1.0 and earlier stores the WSO2 Oauth client secret unencrypted in the global config.xml file on the Jenkins controller where it can be viewed by users... |
| CVE-2023-30528 | 2023-04-12 | Jenkins WSO2 Oauth Plugin 1.0 and earlier does not mask the WSO2 Oauth client secret on the global configuration form, increasing the potential for attackers to observe and capture it. |
| CVE-2023-30529 | 2023-04-12 | Jenkins Lucene-Search Plugin 387.v938a_ecb_f7fe9 and earlier does not require POST requests for an HTTP endpoint, allowing attackers to reindex the database. |
| CVE-2023-30530 | 2023-04-12 | Jenkins Consul KV Builder Plugin 2.0.13 and earlier stores the HashiCorp Consul ACL Token unencrypted in its global configuration file on the Jenkins controller where it can be viewed by... |
| CVE-2023-30531 | 2023-04-12 | Jenkins Consul KV Builder Plugin 2.0.13 and earlier does not mask the HashiCorp Consul ACL Token on the global configuration form, increasing the potential for attackers to observe and capture... |
| CVE-2023-30532 | 2023-04-12 | A missing permission check in Jenkins TurboScript Plugin 1.3 and earlier allows attackers with Item/Read permission to trigger builds of jobs corresponding to the attacker-specified repository. |
| CVE-2023-27812 | 2023-04-13 | bloofox v0.5.2 was discovered to contain an arbitrary file deletion vulnerability via the delete_file() function. |
| CVE-2023-29597 | 2023-04-13 | bloofox v0.5.2 was discovered to contain a SQL injection vulnerability via the component /index.php?mode=content&page=pages&action=edit&eid=1. |
| CVE-2022-48468 | 2023-04-13 | protobuf-c before 1.4.1 has an unsigned integer overflow in parse_required_member. |
| CVE-2023-2014 | 2023-04-13 | Cross-site Scripting (XSS) - Generic in microweber/microweber |
| CVE-2023-2021 | 2023-04-13 | Cross-site Scripting (XSS) - Stored in nilsteampassnet/teampass |
| CVE-2023-20863 | 2023-04-13 | In spring framework versions prior to 5.2.24 release+ ,5.3.27+ and 6.0.8+ , it is possible for a user to provide a specially crafted SpEL expression that may cause a denial-of-service... |
| CVE-2023-20866 | 2023-04-13 | In Spring Session version 3.0.0, the session id can be logged to the standard output stream. This vulnerability exposes sensitive information to those who have access to the application logs... |
| CVE-2023-22948 | 2023-04-13 | An issue was discovered in TigerGraph Enterprise Free Edition 3.x. There is unsecured read access to an SSH private key. Any code that runs as the tigergraph user is able... |
| CVE-2023-22950 | 2023-04-13 | An issue was discovered in TigerGraph Enterprise Free Edition 3.x. Data loading jobs in gsql_server, created by any user with designer permissions, can read sensitive data from arbitrary locations. |
| CVE-2023-22951 | 2023-04-13 | An issue was discovered in TigerGraph Enterprise Free Edition 3.x. It creates an authentication token for internal systems use. This token can be read from the configuration file. Using this... |
| CVE-2023-24509 | 2023-04-13 | On affected modular platforms running Arista EOS equipped with both redundant supervisor modules and having the redundancy protocol configured with RPR or SSO, an existing unprivileged user can login to the standby supervisor as a root user, leading t ... |
| CVE-2023-25954 | 2023-04-13 | KYOCERA Mobile Print' v3.2.0.230119 and earlier, 'UTAX/TA MobilePrint' v3.2.0.230119 and earlier, and 'Olivetti Mobile Print' v3.2.0.230119 and earlier are vulnerable to improper intent handling. When a malicious app is installed... |
| CVE-2023-26263 | 2023-04-13 | All versions of Talend Data Catalog before 8.0-20230110 are potentially vulnerable to XML External Entity (XXE) attacks in the /MIMBWebServices/license endpoint of the remote harvesting server. |
| CVE-2023-26264 | 2023-04-13 | All versions of Talend Data Catalog before 8.0-20220907 are potentially vulnerable to XML External Entity (XXE) attacks in the license parsing code. |
| CVE-2023-26398 | 2023-04-13 | ZDI-CAN-20310: Adobe Substance 3D Designer USDC File Parsing Out-Of-Bounds Read Remote Code Execution Vulnerability |
| CVE-2023-26409 | 2023-04-13 | ZDI-CAN-20313: Adobe Substance 3D Designer USD File Parsing Out-Of-Bounds Read Remote Code Execution Vulnerability |
| CVE-2023-26410 | 2023-04-13 | ZDI-CAN-20309: Adobe Substance 3D Designer USD File Parsing Use-After-Free Remote Code Execution Vulnerability |
| CVE-2023-26411 | 2023-04-13 | ZDI-CAN-20312: Adobe Substance 3D Designer USDC File Parsing Out-Of-Bounds Read Remote Code Execution Vulnerability |
| CVE-2023-26412 | 2023-04-13 | ZDI-CAN-20314: Adobe Substance 3D Designer USDA File Parsing Stack-based Buffer Overflow Remote Code Execution Vulnerability |
| CVE-2023-26413 | 2023-04-13 | ZDI-CAN-20315: Adobe Substance 3D Designer USD File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability |
| CVE-2023-26414 | 2023-04-13 | ZDI-CAN-20316: Adobe Substance 3D Designer USD File Parsing Use-After-Free Remote Code Execution Vulnerability |
| CVE-2023-26415 | 2023-04-13 | ZDI-CAN-20317: Adobe Substance 3D Designer DAE File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability |
| CVE-2023-26416 | 2023-04-13 | ZDI-CAN-20318: Adobe Substance 3D Designer DAE File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability |
| CVE-2023-26918 | 2023-04-13 | Diasoft File Replication Pro 7.5.0 allows attackers to escalate privileges by replacing a legitimate file with a Trojan horse that will be executed as LocalSystem. This occurs because %ProgramFiles%\FileReplicationPro allows... |
| CVE-2023-27667 | 2023-04-13 | Auto Dealer Management System v1.0 was discovered to contain a SQL injection vulnerability. |
| CVE-2023-27746 | 2023-04-13 | BlackVue DR750-2CH LTE v.1.012_2022.10.26 was discovered to contain a weak default passphrase which can be easily cracked via a brute force attack if the WPA2 handshake is intercepted. |
| CVE-2023-27747 | 2023-04-13 | BlackVue DR750-2CH LTE v.1.012_2022.10.26 does not employ authentication in its web server. This vulnerability allows attackers to access sensitive information such as configurations and recordings. |
| CVE-2023-27748 | 2023-04-13 | BlackVue DR750-2CH LTE v.1.012_2022.10.26 does not employ authenticity check for uploaded firmware. This can allow attackers to upload crafted firmware which contains backdoors and enables arbitrary code execution. |
| CVE-2023-27772 | 2023-04-13 | libiec61850 v1.5.1 was discovered to contain a segmentation violation via the function ControlObjectClient_setOrigin() at /client/client_control.c. |
| CVE-2023-27779 | 2023-04-13 | AM Presencia v3.7.3 was discovered to contain a SQL injection vulnerability via the user parameter in the login form. |
| CVE-2023-29084 | 2023-04-13 | Zoho ManageEngine ADManager Plus before 7181 allows for authenticated users to exploit command injection via Proxy settings. |
| CVE-2023-29573 | 2023-04-13 | Bento4 v1.6.0-639 was discovered to contain an out-of-memory bug in the mp4info component. |
| CVE-2023-29598 | 2023-04-13 | lmxcms v1.4.1 was discovered to contain a SQL injection vulnerability via the setbook parameter at index.php. |
| CVE-2023-30630 | 2023-04-13 | Dmidecode before 3.5 allows -dump-bin to overwrite a local file. This has security relevance because, for example, execution of Dmidecode via Sudo is plausible. NOTE: Some third parties have indicated... |
| CVE-2023-30635 | 2023-04-13 | TiKV 6.1.2 allows remote attackers to cause a denial of service (fatal error) upon an attempt to get a timestamp from the Placement Driver. |
| CVE-2023-30636 | 2023-04-13 | TiKV 6.1.2 allows remote attackers to cause a denial of service (fatal error, with RpcStatus UNAVAILABLE for "not leader") upon an attempt to start a node in a situation where... |
| CVE-2023-30637 | 2023-04-13 | Baidu braft 1.1.2 has a memory leak related to use of the new operator in example/atomic/atomic_server. NOTE: installations with brpc-0.14.0 and later are unaffected. |
| CVE-2023-30638 | 2023-04-13 | Atos Unify OpenScape SBC 10 before 10R3.1.3, OpenScape Branch 10 before 10R3.1.2, and OpenScape BCF 10 before 10R10.7.0 allow remote authenticated admins to inject commands. |
| CVE-2022-45064 | 2023-04-13 | Apache Sling Engine: Include-based XSS |
| CVE-2022-44625 | 2023-04-13 | WordPress Cyklodev WP Notify Plugin <= 1.2.1 is vulnerable to Cross Site Scripting (XSS) |
| CVE-2022-45358 | 2023-04-13 | WordPress Activello Theme <= 1.4.4 is vulnerable to Cross Site Scripting (XSS) |
| CVE-2023-1326 | 2023-04-13 | local privilege escalation in apport-cli |
| CVE-2023-26756 | 2023-04-14 | The login page of Revive Adserver v5.4.1 is vulnerable to brute force attacks. NOTE: The vendor's position is that this is effectively mitigated by rate limits and password-quality features. |
| CVE-2023-26980 | 2023-04-14 | PAX Technology PAX A920 Pro PayDroid 8.1suffers from a Race Condition vulnerability, which allows attackers to bypass the payment software and force the OS to boot directly to Android during... |
| CVE-2023-27890 | 2023-04-14 | The Export User plugin through 2.0 for MyBB allows XSS during the process of an admin generating DSGVO data for a user, via the Custom User Title, Location, or Bio... |
| CVE-2021-46880 | 2023-04-14 | x509/x509_verify.c in LibreSSL before 3.4.2, and OpenBSD before 7.0 errata 006, allows authentication bypass because an error for an unverified certificate chain is sometimes discarded. |
| CVE-2022-45170 | 2023-04-14 | An issue was discovered in LIVEBOX Collaboration vDesk through v018. A Cryptographic Issue can occur under the /api/v1/vencrypt/decrypt/file endpoint. A malicious user, logged into a victim's account, is able to... |
| CVE-2022-45173 | 2023-04-14 | An issue was discovered in LIVEBOX Collaboration vDesk through v018. A Bypass of Two-Factor Authentication can occur under the /api/v1/vdeskintegration/challenge endpoint. Because only the client-side verifies whether a check was... |
| CVE-2022-45174 | 2023-04-14 | An issue was discovered in LIVEBOX Collaboration vDesk through v018. A Bypass of Two-Factor Authentication for SAML Users can occur under the /login/backup_code endpoint and the /api/v1/vdeskintegration/challenge endpoint. The correctness... |
| CVE-2022-45175 | 2023-04-14 | An issue was discovered in LIVEBOX Collaboration vDesk through v018. An Insecure Direct Object Reference can occur under the 5.6.5-3/doc/{ID-FILE]/c/{N]/{C]/websocket endpoint. A malicious unauthenticated user can access cached files in... |
| CVE-2022-45178 | 2023-04-14 | An issue was discovered in LIVEBOX Collaboration vDesk through v018. Broken Access Control exists under the /api/v1/vdeskintegration/saml/user/createorupdate endpoint, the /settings/guest-settings endpoint, the /settings/samlusers-settings endpoint, and the /settings/users-settings endpoint. A malicious... |
| CVE-2022-45180 | 2023-04-14 | An issue was discovered in LIVEBOX Collaboration vDesk through v018. Broken Access Control exists under the /api/v1/vdesk_{DOMAIN]/export endpoint. A malicious user, authenticated to the product without any specific privilege, can... |
| CVE-2022-46886 | 2023-04-14 | There exists an open redirect within the response list update functionality of ServiceNow. This allows attackers to redirect users to arbitrary domains when clicking on a URL within a service-now... |
| CVE-2022-47027 | 2023-04-14 | Timmystudios Fast Typing Keyboard v1.275.1.162 allows unauthorized apps to overwrite arbitrary files in its internal storage via a dictionary traversal vulnerability and achieve arbitrary code execution. |
| CVE-2023-2008 | 2023-04-14 | A flaw was found in the Linux kernel's udmabuf device driver. The specific flaw exists within a fault handler. The issue results from the lack of proper validation of user-supplied... |
| CVE-2023-2034 | 2023-04-14 | Unrestricted Upload of File with Dangerous Type in froxlor/froxlor |
| CVE-2023-22949 | 2023-04-14 | An issue was discovered in TigerGraph Enterprise Free Edition 3.x. There is logging of user credentials. All authenticated GSQL access requests are logged by TigerGraph in multiple places. Each request... |
| CVE-2023-25597 | 2023-04-14 | A vulnerability in the web conferencing component of Mitel MiCollab through 9.6.2.9 could allow an unauthenticated attacker to download a shared file via a crafted request - including the exact... |
| CVE-2023-26463 | 2023-04-14 | strongSwan 5.9.8 and 5.9.9 potentially allows remote code execution because it uses a variable named "public" for two different purposes within the same function. There is initially incorrect access control,... |
| CVE-2023-26559 | 2023-04-14 | A directory traversal vulnerability in Oxygen XML Web Author before 25.0.0.3 build 2023021715 and Oxygen Content Fusion before 5.0.3 build 2023022015 allows an attacker to read files from a WEB-INF... |