Lista CVE - 2023 / Aprile
Visualizzazione 1201 - 1300 di 2302 CVE per Aprile 2023 (Pagina 13 di 24)
| ID CVE | Data | Titolo |
|---|---|---|
| CVE-2018-17454 | 2023-04-15 | An issue was discovered in GitLab Community and Enterprise Edition before 11.1.7, 11.2.x before 11.2.4, and 11.3.x before 11.3.1. There is stored XSS on the issue details screen. |
| CVE-2018-17455 | 2023-04-15 | An issue was discovered in GitLab Enterprise Edition before 11.1.7, 11.2.x before 11.2.4, and 11.3.x before 11.3.1. Attackers could obtain sensitive information about group names, avatars, LDAP settings, and descriptions... |
| CVE-2018-17536 | 2023-04-15 | An issue was discovered in GitLab Community and Enterprise Edition before 11.1.7, 11.2.x before 11.2.4, and 11.3.x before 11.3.1. There is stored XSS on the merge request page via project... |
| CVE-2018-17537 | 2023-04-15 | An issue was discovered in GitLab Community and Enterprise Edition before 11.1.7, 11.2.x before 11.2.4, and 11.3.x before 11.3.1. blog-viewer has stored XSS during repository browsing, if package.json exists. . |
| CVE-2018-17883 | 2023-04-15 | An issue was discovered in Open Ticket Request System (OTRS) 6.0.x before 6.0.12. An attacker could send an e-mail message with a malicious link to an OTRS system or an... |
| CVE-2019-14942 | 2023-04-15 | An issue was discovered in GitLab Community and Enterprise Edition before 11.11.8, 12 before 12.0.6, and 12.1 before 12.1.6. Cookies for GitLab Pages (which have access control) could be sent... |
| CVE-2019-14944 | 2023-04-15 | An issue was discovered in GitLab Community and Enterprise Edition before 11.11.8, 12 before 12.0.6, and 12.1 before 12.1.6. Gitaly allows injection of command-line flags. This sometimes leads to privilege... |
| CVE-2020-17354 | 2023-04-15 | LilyPond before 2.24 allows attackers to bypass the -dsafe protection mechanism via output-def-lookup or output-def-scope, as demonstrated by dangerous Scheme code in a .ly file that causes arbitrary code execution... |
| CVE-2020-27545 | 2023-04-15 | libdwarf before 20201017 has a one-byte out-of-bounds read because of an invalid pointer dereference via an invalid line table in a crafted object. |
| CVE-2020-28163 | 2023-04-15 | libdwarf before 20201201 allows a dwarf_print_lines.c NULL pointer dereference and application crash via a DWARF5 line-table header that has an invalid FORM for a pathname. |
| CVE-2020-29007 | 2023-04-15 | The Score extension through 0.3.0 for MediaWiki has a remote code execution vulnerability due to improper sandboxing of the GNU LilyPond executable. This allows any user with an ability to... |
| CVE-2021-30153 | 2023-04-15 | An issue was discovered in the VisualEditor extension in MediaWiki before 1.31.13, and 1.32.x through 1.35.x before 1.35.2. . When using VisualEditor to edit a MediaWiki user page belonging to... |
| CVE-2021-34337 | 2023-04-15 | An issue was discovered in Mailman Core before 3.3.5. An attacker with access to the REST API could use timing attacks to determine the value of the configured REST API... |
| CVE-2021-39295 | 2023-04-15 | In OpenBMC 2.9, crafted IPMI messages allow an attacker to cause a denial of service to the BMC via the netipmid (IPMI lan+) interface. |
| CVE-2021-43612 | 2023-04-15 | In lldpd before 1.0.13, when decoding SONMP packets in the sonmp_decode function, it's possible to trigger an out-of-bounds heap read via short SONMP packets. |
| CVE-2021-45464 | 2023-04-15 | kvmtool through 39181fc allows an out-of-bounds write, related to virtio/balloon.c and virtio/pci.c. This allows a guest OS user to execute arbitrary code on the host machine. |
| CVE-2022-2525 | 2023-04-15 | Improper Restriction of Excessive Authentication Attempts in janeczku/calibre-web |
| CVE-2022-43696 | 2023-04-15 | OX App Suite before 7.10.6-rev20 allows XSS via upsell ads. |
| CVE-2022-43697 | 2023-04-15 | OX App Suite before 7.10.6-rev30 allows XSS via an activity tracking adapter defined by jslob. |
| CVE-2022-43698 | 2023-04-15 | OX App Suite before 7.10.6-rev30 allows SSRF because changing a POP3 account disregards the deny-list. |
| CVE-2022-43699 | 2023-04-15 | OX App Suite before 7.10.6-rev30 allows SSRF because e-mail account discovery disregards the deny-list and thus can be attacked by an adversary who controls the DNS records of an external... |
| CVE-2022-45030 | 2023-04-15 | A SQL injection vulnerability in rConfig 3.9.7 exists via lib/ajaxHandlers/ajaxCompareGetCmdDates.php?command= (this may interact with secure-file-priv). |
| CVE-2022-47522 | 2023-04-15 | The IEEE 802.11 specifications through 802.11ax allow physically proximate attackers to intercept (possibly cleartext) target-destined frames by spoofing a target's MAC address, sending Power Save frames to the access point,... |
| CVE-2022-48177 | 2023-04-15 | X2CRM Open Source Sales CRM 6.6 and 6.9 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the adin/importModels Import Records Model field (model parameter). This vulnerability allows... |
| CVE-2022-48178 | 2023-04-15 | X2CRM Open Source Sales CRM 6.6 and 6.9 was discovered to contain a stored cross-site scripting (XSS) vulnerability via the Create Action function, aka an index.php/actions/update URI. |
| CVE-2023-2102 | 2023-04-15 | Cross-site Scripting (XSS) - Stored in alextselegidis/easyappointments |
| CVE-2023-2103 | 2023-04-15 | Cross-site Scripting (XSS) - Stored in alextselegidis/easyappointments |
| CVE-2023-2104 | 2023-04-15 | Improper Access Control in alextselegidis/easyappointments |
| CVE-2023-2105 | 2023-04-15 | Session Fixation in alextselegidis/easyappointments |
| CVE-2023-2106 | 2023-04-15 | Weak Password Requirements in janeczku/calibre-web |
| CVE-2023-22669 | 2023-04-15 | Parsing of DWG files in Open Design Alliance Drawings SDK before 2023.6 lacks proper validation of the length of user-supplied XRecord data prior to copying it to a fixed-length heap-based... |
| CVE-2023-22670 | 2023-04-15 | A heap-based buffer overflow exists in the DXF file reading procedure in Open Design Alliance Drawings SDK before 2023.6. The specific flaw exists within the parsing of DXF files. The... |
| CVE-2023-2089 | 2023-04-15 | SourceCodester Complaint Management System GET Parameter userprofile.php sql injection |
| CVE-2023-2027 | 2023-04-15 | The ZM Ajax Login & Register plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 2.0.2. This is due to insufficient verification on the user... |
| CVE-2023-2091 | 2023-04-15 | KylinSoft youker-assistant adjust_cpufreq_scaling_governer os command injection |
| CVE-2023-2090 | 2023-04-15 | SourceCodester Employee and Visitor Gate Pass Logging System GET Parameter view_designation.php sql injection |
| CVE-2023-2092 | 2023-04-15 | SourceCodester Vehicle Service Management System view_service.php sql injection |
| CVE-2023-2093 | 2023-04-15 | SourceCodester Vehicle Service Management System Login.php sql injection |
| CVE-2023-2094 | 2023-04-15 | SourceCodester Vehicle Service Management System manage_mechanic.php sql injection |
| CVE-2023-2095 | 2023-04-15 | SourceCodester Vehicle Service Management System manage_category.php sql injection |
| CVE-2023-2096 | 2023-04-15 | SourceCodester Vehicle Service Management System manage_inventory.php sql injection |
| CVE-2023-2097 | 2023-04-15 | SourceCodester Vehicle Service Management System Master.php sql injection |
| CVE-2023-2098 | 2023-04-15 | SourceCodester Vehicle Service Management System topBarNav.php cross site scripting |
| CVE-2023-2099 | 2023-04-15 | SourceCodester Vehicle Service Management System Users.php cross site scripting |
| CVE-2023-2100 | 2023-04-15 | SourceCodester Vehicle Service Management System index.php cross site scripting |
| CVE-2023-2101 | 2023-04-15 | moxi624 Mogu Blog v2 uploadPicsByUrl uploadPictureByUrl absolute path traversal |
| CVE-2023-2107 | 2023-04-15 | IBOS del&op=recycle sql injection |
| CVE-2023-29201 | 2023-04-15 | org.xwiki.commons:xwiki-commons-xml Cross-site Scripting vulnerability |
| CVE-2023-29202 | 2023-04-15 | org.xwiki.platform:xwiki-platform-rendering-macro-rss Cross-site Scripting vulnerability |
| CVE-2023-29203 | 2023-04-15 | Unauthenticated user can have information about hidden users on subwikis through uorgsuggest.vm |
| CVE-2023-29204 | 2023-04-15 | URL Redirection to Untrusted Site ('Open Redirect') in org.xwiki.platform:xwiki-platform-oldcore |
| CVE-2023-29205 | 2023-04-15 | org.xwiki.platform:xwiki-platform-rendering-xwiki vulnerable to stored cross-site scripting via HTML and raw macro |
| CVE-2023-29206 | 2023-04-15 | org.xwiki.platform:xwiki-platform-skin-skinx vulnerable to basic Cross-site Scripting by exploiting JSX or SSX plugins |
| CVE-2023-29207 | 2023-04-15 | Improper Neutralization of Script-Related HTML Tags (XSS) in the LiveTable Macro |
| CVE-2023-29208 | 2023-04-15 | Data leak through deleted documents |
| CVE-2023-29209 | 2023-04-15 | org.xwiki.platform:xwiki-platform-legacy-notification-activitymacro Eval Injection vulnerability |
| CVE-2023-29210 | 2023-04-15 | org.xwiki.platform:xwiki-platform-notifications-ui Eval Injection vulnerability |
| CVE-2015-10101 | 2023-04-15 | Google Analytics Top Content Widget Plugin class-tgm-plugin-activation.php cross site scripting |
| CVE-2021-33990 | 2023-04-16 | Liferay Portal 6.2.5 allows Command=FileUpload&Type=File&CurrentFolder=/ requests when frmfolders.html exists. NOTE: The vendor disputes this issue because the exploit reference link only shows frmfolders.html is accessible and does not demonstrate how... |
| CVE-2021-36520 | 2023-04-16 | A SQL injection vulnerability in I-Tech Trainsmart r1044 exists via a evaluation/assign-evaluation?id= URI. |
| CVE-2022-28353 | 2023-04-16 | In the External Redirect Warning Plugin 1.3 for MyBB, the redirect URL (aka external.php?url=) is vulnerable to XSS. |
| CVE-2022-30076 | 2023-04-16 | ENTAB ERP 1.0 allows attackers to discover users' full names via a brute force attack with a series of student usernames such as s10000 through s20000. There is no rate... |
| CVE-2022-34125 | 2023-04-16 | front/icon.send.php in the CMDB plugin before 3.0.3 for GLPI allows attackers to gain read access to sensitive information via a _log/ pathname in the file parameter. |
| CVE-2022-34126 | 2023-04-16 | The Activity plugin before 3.1.1 for GLPI allows reading local files via directory traversal in the front/cra.send.php file parameter. |
| CVE-2022-34127 | 2023-04-16 | The Managentities plugin before 4.0.2 for GLPI allows reading local files via directory traversal in the inc/cri.class.php file parameter. |
| CVE-2022-34128 | 2023-04-16 | The Cartography (aka positions) plugin before 6.0.1 for GLPI allows remote code execution via PHP code in the POST data to front/upload.php. |
| CVE-2022-37186 | 2023-04-16 | In LemonLDAP::NG before 2.0.15. some sessions are not deleted when they are supposed to be deleted according to the timeoutActivity setting. This can occur when there are at least two... |
| CVE-2022-37255 | 2023-04-16 | TP-Link Tapo C310 1.3.0 devices allow access to the RTSP video feed via credentials of User --- and Password TPL075526460603. |
| CVE-2022-37306 | 2023-04-16 | OX App Suite before 7.10.6-rev30 allows XSS via an upsell trigger. |
| CVE-2022-37704 | 2023-04-16 | Amanda 3.5.1 allows privilege escalation from the regular user backup to root. The SUID binary located at /lib/amanda/rundump will execute /usr/sbin/dump as root with controlled arguments from the attacker which... |
| CVE-2022-37705 | 2023-04-16 | A privilege escalation flaw was found in Amanda 3.5.1 in which the backup user can acquire root privileges. The vulnerable component is the runtar SUID program, which is a wrapper... |
| CVE-2022-38840 | 2023-04-16 | cgi-bin/xmlstatus.cgi in Güralp MAN-EAM-0003 3.2.4 is vulnerable to an XML External Entity (XXE) issue via XML file upload, which leads to local file disclosure. |
| CVE-2022-38841 | 2023-04-16 | Linksys AX3200 1.1.00 is vulnerable to OS command injection by authenticated users via shell metacharacters to the diagnostics traceroute page. |
| CVE-2022-40946 | 2023-04-16 | On D-Link DIR-819 Firmware Version 1.06 Hardware Version A1 devices, it is possible to trigger a Denial of Service via the sys_token parameter in a cgi-bin/webproc?getpage=html/index.html request. |
| CVE-2023-30772 | 2023-04-16 | The Linux kernel before 6.2.9 has a race condition and resultant use-after-free in drivers/power/supply/da9150-charger.c if a physically proximate attacker unplugs a device. |
| CVE-2022-48312 | 2023-04-16 | The HwPCAssistant module has the out-of-bounds read/write vulnerability. Successful exploitation of this vulnerability may affect confidentiality and integrity. |
| CVE-2023-29211 | 2023-04-16 | org.xwiki.platform:xwiki-platform-wiki-ui-mainwiki Eval Injection vulnerability |
| CVE-2023-29212 | 2023-04-16 | xwiki.platform:xwiki-platform-panels-ui Eval Injection vulnerability |
| CVE-2023-29214 | 2023-04-16 | org.xwiki.platform:xwiki-platform-panels-ui Eval Injection vulnerability |
| CVE-2023-29506 | 2023-04-16 | org.xwiki.platform:xwiki-platform-security-authentication-default XSS with authenticated endpoints |
| CVE-2023-29507 | 2023-04-16 | org.xwiki.platform:xwiki-platform-oldcore makes Incorrect Use of Privileged APIs with DocumentAuthors |
| CVE-2023-29508 | 2023-04-16 | org.xwiki.platform:xwiki-platform-livedata-macro vulnerable to Cross-site Scripting |
| CVE-2023-29509 | 2023-04-16 | org.xwiki.platform:xwiki-platform-flamingo-theme-ui Eval Injection vulnerability |
| CVE-2023-30537 | 2023-04-16 | org.xwiki.platform:xwiki-platform-flamingo-theme-ui vulnerable to privilege escalation |
| CVE-2022-48313 | 2023-04-16 | The Bluetooth module has a vulnerability of bypassing the user confirmation in the pairing process. Successful exploitation of this vulnerability may affect confidentiality. |
| CVE-2023-29511 | 2023-04-16 | xwiki-platform-administration-ui vulnerable to privilege escalation |
| CVE-2023-30542 | 2023-04-16 | GovernorCompatibilityBravo may trim proposal calldata |
| CVE-2022-48314 | 2023-04-16 | The Bluetooth module has a vulnerability of bypassing the user confirmation in the pairing process. Successful exploitation of this vulnerability may affect confidentiality. |
| CVE-2023-2108 | 2023-04-16 | SourceCodester Judging Management System edit_contestant.php sql injection |
| CVE-2023-27610 | 2023-04-16 | WordPress Transbank Webpay REST Plugin <= 1.6.6 is vulnerable to SQL Injection |
| CVE-2023-30474 | 2023-04-16 | WordPress Ultimate Noindex Nofollow Tool II Plugin <= 1.3 is vulnerable to Cross Site Request Forgery (CSRF) |
| CVE-2023-22687 | 2023-04-16 | WordPress Freesoul Deactivate Plugins – Plugin manager and cleanup Plugin <= 1.9.4.0 is vulnerable to Sensitive Data Exposure |
| CVE-2022-43480 | 2023-04-16 | WordPress Homepage Pop-up Plugin <= 1.2.5 is vulnerable to Cross Site Scripting (XSS) |
| CVE-2022-43458 | 2023-04-16 | WordPress Advanced Floating Content Plugin <= 1.2.1 is vulnerable to Cross Site Scripting (XSS) |
| CVE-2022-44734 | 2023-04-16 | WordPress Car Rental by BestWebSoft Plugin <= 1.1.2 is vulnerable to Cross Site Scripting (XSS) |
| CVE-2022-45849 | 2023-04-16 | WordPress Activello Theme <= 1.4.4 is vulnerable to Cross Site Scripting (XSS) |
| CVE-2021-33797 | 2023-04-17 | Buffer-overflow in jsdtoa.c in Artifex MuJS in versions 1.0.1 to 1.1.1. An integer overflow happens when js_strtod() reads in floating point exponent, which leads to a buffer overflow in the... |
| CVE-2022-44726 | 2023-04-17 | The TouchDown Timesheet tracking component 4.1.4 for Jira allows XSS in the calendar view. |
| CVE-2022-46389 | 2023-04-17 | Cross-Site Scripting (XSS) vulnerability found on logout functionality |
| CVE-2023-1697 | 2023-04-17 | Junos OS: QFX10000 Series, PTX1000 Series: The dcpfe process will crash when a malformed ethernet frame is received |