Total
5367 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-23619 | 1 Lfprojects | 1 Modelina | 2024-11-21 | N/A | 9.9 CRITICAL |
| Modelina is a library for generating data models based on inputs such as AsyncAPI, OpenAPI, or JSON Schema documents. Versions prior to 1.0.0 are vulnerable to Code injection. This issue affects anyone who is using the default presets and/or does not handle the functionality themself. This issue has been partially mitigated in version 1.0.0, with the maintainer's GitHub Security Advisory (GHSA) noting "It is impossible to fully guard against this, because users have access to the original raw information. However, as of version 1, if you only access the constrained models, you will not encounter this issue. Further similar situations are NOT seen as a security issue, but intended behavior." The suggested workaround from the maintainers is "Fully custom presets that change the entire rendering process which can then escape the user input." | |||||
| CVE-2023-23551 | 1 Controlbyweb | 2 X-600m, X-600m Firmware | 2024-11-21 | N/A | 9.1 CRITICAL |
| Control By Web X-600M devices run Lua scripts and are vulnerable to code injection, which could allow an attacker to remotely execute arbitrary code. | |||||
| CVE-2023-23477 | 5 Hp, Ibm, Linux and 2 more | 8 Hp-ux, Aix, I and 5 more | 2024-11-21 | N/A | 8.1 HIGH |
| IBM WebSphere Application Server 8.5 and 9.0 traditional could allow a remote attacker to execute arbitrary code on the system with a specially crafted sequence of serialized objects. IBM X-Force ID: 245513. | |||||
| CVE-2023-22731 | 1 Shopware | 1 Shopware | 2024-11-21 | N/A | 9.9 CRITICAL |
| Shopware is an open source commerce platform based on Symfony Framework and Vue js. In a Twig environment **without the Sandbox extension**, it is possible to refer to PHP functions in twig filters like `map`, `filter`, `sort`. This allows a template to call any global PHP function and thus execute arbitrary code. The attacker must have access to a Twig environment in order to exploit this vulnerability. This problem has been fixed with 6.4.18.1 with an override of the specified filters until the integration of the Sandbox extension has been finished. Users are advised to upgrade. Users of major versions 6.1, 6.2, and 6.3 may also receive this fix via a plugin. | |||||
| CVE-2023-22677 | 1 Binarystash | 1 Wp Booklet | 2024-11-21 | N/A | 8.5 HIGH |
| Improper Control of Generation of Code ('Code Injection') vulnerability in BinaryStash WP Booklet.This issue affects WP Booklet: from n/a through 2.1.8. | |||||
| CVE-2023-22506 | 1 Atlassian | 2 Bamboo Data Center, Bamboo Server | 2024-11-21 | N/A | 8.8 HIGH |
| This High severity Injection and RCE (Remote Code Execution) vulnerability known as CVE-2023-22506 was introduced in version 8.0.0 of Bamboo Data Center. This Injection and RCE (Remote Code Execution) vulnerability, with a CVSS Score of 7.5, allows an authenticated attacker to modify the actions taken by a system call and execute arbitrary code which has high impact to confidentiality, high impact to integrity, high impact to availability, and no user interaction. Atlassian recommends that you upgrade your instance to latest version. If you're unable to upgrade to latest, upgrade to one of these fixed versions: 9.2.3 and 9.3.1. See the release notes ([https://confluence.atlassian.com/bambooreleases/bamboo-release-notes-1189793869.html|https://confluence.atlassian.com/bambooreleases/bamboo-release-notes-1189793869.html]). You can download the latest version of Bamboo Data Center and Bamboo Server from the download center ([https://www.atlassian.com/software/bamboo/download-archives|https://www.atlassian.com/software/bamboo/download-archives]). This vulnerability was reported via our Penetration Testing program. | |||||
| CVE-2023-22381 | 1 Github | 1 Enterprise Server | 2024-11-21 | N/A | 4.1 MEDIUM |
| A code injection vulnerability was identified in GitHub Enterprise Server that allowed setting arbitrary environment variables from a single environment variable value in GitHub Actions when using a Windows based runner. To exploit this vulnerability, an attacker would need existing permission to control the value of environment variables for use with GitHub Actions. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.8.0 and was fixed in versions 3.4.15, 3.5.12, 3.6.8, 3.7.5. This vulnerability was reported via the GitHub Bug Bounty program. | |||||
| CVE-2023-21890 | 1 Oracle | 1 Communications Converged Application Server | 2024-11-21 | N/A | 9.8 CRITICAL |
| Vulnerability in the Oracle Communications Converged Application Server product of Oracle Communications (component: Core). Supported versions that are affected are 7.1.0 and 8.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via UDP to compromise Oracle Communications Converged Application Server. Successful attacks of this vulnerability can result in takeover of Oracle Communications Converged Application Server. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). | |||||
| CVE-2023-21886 | 1 Oracle | 1 Vm Virtualbox | 2024-11-21 | N/A | 8.1 HIGH |
| Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are Prior to 6.1.42 and prior to 7.0.6. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle VM VirtualBox. Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox. CVSS 3.1 Base Score 8.1 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H). | |||||
| CVE-2023-21569 | 1 Microsoft | 1 Azure Devops Server | 2024-11-21 | N/A | 5.5 MEDIUM |
| Azure DevOps Server Spoofing Vulnerability | |||||
| CVE-2023-21553 | 1 Microsoft | 1 Azure Devops Server | 2024-11-21 | N/A | 7.5 HIGH |
| Azure DevOps Server Remote Code Execution Vulnerability | |||||
| CVE-2023-20209 | 1 Cisco | 1 Telepresence Video Communication Server | 2024-11-21 | N/A | 6.5 MEDIUM |
| A vulnerability in the web-based management interface of Cisco Expressway Series and Cisco TelePresence Video Communication Server (VCS) could allow an authenticated, remote attacker with read-write privileges on the application to perform a command injection attack that could result in remote code execution on an affected device. This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by sending a crafted request to the web-based management interface of an affected device. A successful exploit could allow the attacker to establish a remote shell with root privileges. | |||||
| CVE-2023-1947 | 1 Taogogo | 1 Taocms | 2024-11-21 | 6.5 MEDIUM | 6.3 MEDIUM |
| A vulnerability was found in taoCMS 3.0.2. It has been classified as critical. Affected is an unknown function of the file /admin/admin.php. The manipulation leads to code injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-225330 is the identifier assigned to this vulnerability. | |||||
| CVE-2023-1773 | 1 Rockoa | 1 Rockoa | 2024-11-21 | 6.5 MEDIUM | 6.3 MEDIUM |
| A vulnerability was found in Rockoa 2.3.2. It has been declared as critical. This vulnerability affects unknown code of the file webmainConfig.php of the component Configuration File Handler. The manipulation leads to code injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-224674 is the identifier assigned to this vulnerability. | |||||
| CVE-2023-1482 | 1 Hkcms Project | 1 Hkcms | 2024-11-21 | 5.8 MEDIUM | 4.7 MEDIUM |
| A vulnerability, which was classified as problematic, was found in HkCms 2.2.4.230206. This affects an unknown part of the file /admin.php/appcenter/local.html?type=addon of the component External Plugin Handler. The manipulation leads to code injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-223365 was assigned to this vulnerability. | |||||
| CVE-2023-1367 | 1 Easyappointments | 1 Easyappointments | 2024-11-21 | N/A | 3.8 LOW |
| Code Injection in GitHub repository alextselegidis/easyappointments prior to 1.5.0. | |||||
| CVE-2023-1287 | 1 3ds | 1 Enovia Live Collaboration | 2024-11-21 | N/A | 9.0 CRITICAL |
| An XSL template vulnerability in ENOVIA Live Collaboration V6R2013xE allows Remote Code Execution. | |||||
| CVE-2023-1283 | 1 Builder | 1 Qwik | 2024-11-21 | N/A | 10.0 CRITICAL |
| Code Injection in GitHub repository builderio/qwik prior to 0.21.0. | |||||
| CVE-2023-1250 | 1 Otrs | 1 Otrs | 2024-11-21 | N/A | 7.4 HIGH |
| Improper Input Validation vulnerability in OTRS AG OTRS (ACL modules), OTRS AG ((OTRS)) Community Edition (ACL modules) allows Local Execution of Code. When creating/importing an ACL it was possible to inject code that gets executed via manipulated comments and ACL-names This issue affects OTRS: from 7.0.X before 7.0.42, from 8.0.X before 8.0.31; ((OTRS)) Community Edition: from 6.0.1 through 6.0.34. | |||||
| CVE-2023-1178 | 1 Gitlab | 1 Gitlab | 2024-11-21 | N/A | 5.7 MEDIUM |
| An issue has been discovered in GitLab CE/EE affecting all versions from 8.6 before 15.9.6, all versions starting from 15.10 before 15.10.5, all versions starting from 15.11 before 15.11.1. File integrity may be compromised when source code or installation packages are pulled from a tag or from a release containing a ref to another commit. | |||||