CVE List - 2023 / January
Showing 1601 - 1700 of 2351 CVEs for January 2023 (Page 17 of 24)
| CVE ID | Date | Title |
|---|---|---|
| CVE-2023-22964 | 2023-01-20 | Zoho ManageEngine ServiceDesk Plus MSP before 10611, and 13x before 13004, is vulnerable to authentication bypass when LDAP authentication is enabled. |
| CVE-2023-23010 | 2023-01-20 | Cross Site Scripting (XSS) vulnerability in Ecommerce-CodeIgniter-Bootstrap thru commit d5904379ca55014c5df34c67deda982c73dc7fe5 (on Dec 27, 2022), allows attackers to execute arbitrary code via the languages and trans_load parameters in file add_product.php. |
| CVE-2023-23012 | 2023-01-20 | Cross Site Scripting (XSS) vulnerability in craigrodway classroombookings 2.6.4 allows attackers to execute arbitrary code or other unspecified impacts via the input bgcol in file Weeks.php. |
| CVE-2023-23014 | 2023-01-20 | Cross Site Scripting (XSS) vulnerability in InventorySystem thru commit e08fbbe17902146313501ed0b5feba81d58f455c (on Apr 23, 2021) via edit_store_name and edit_active inputs in file InventorySystem.php. |
| CVE-2023-23015 | 2023-01-20 | Cross Site Scripting (XSS) vulnerability in Kalkun 0.8.0 via username input in file User_model.php. |
| CVE-2023-23024 | 2023-01-20 | Book Store Management System v1.0 was discovered to contain a cross-site scripting (XSS) vulnerability in /bsms_ci/index.php/book. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted... |
| CVE-2023-23143 | 2023-01-20 | Buffer overflow vulnerability in function avc_parse_slice in file media_tools/av_parsers.c. GPAC version 2.3-DEV-rev1-g4669ba229-master. |
| CVE-2023-23144 | 2023-01-20 | Integer overflow vulnerability in function Q_DecCoordOnUnitSphere file bifs/unquantize.c in GPAC version 2.2-rev0-gab012bbfb-master. |
| CVE-2023-23145 | 2023-01-20 | GPAC version 2.2-rev0-gab012bbfb-master was discovered to contain a memory leak in lsr_read_rare_full function. |
| CVE-2023-23488 | 2023-01-20 | The Paid Memberships Pro WordPress Plugin, version < 2.9.8, is affected by an unauthenticated SQL injection vulnerability in the 'code' parameter of the '/pmpro/v1/order' REST route. |
| CVE-2023-23489 | 2023-01-20 | The Easy Digital Downloads WordPress Plugin, versions 3.1.0.2 & 3.1.0.3, is affected by an unauthenticated SQL injection vulnerability in the 's' parameter of its 'edd_download_search' action. |
| CVE-2023-23490 | 2023-01-20 | The Survey Maker WordPress Plugin, version < 3.1.2, is affected by an authenticated SQL injection vulnerability in the 'surveys_ids' parameter of its 'ays_surveys_export_json' action. |
| CVE-2023-23491 | 2023-01-20 | The Quick Event Manager WordPress Plugin, version < 9.7.5, is affected by a reflected cross-site scripting vulnerability in the 'category' parameter of its 'qem_ajax_calendar' action. |
| CVE-2023-23492 | 2023-01-20 | The Login with Phone Number WordPress Plugin, version < 1.4.2, is affected by an authenticated SQL injection vulnerability in the 'ID' parameter of its 'lwp_forgot_password' action. |
| CVE-2023-23596 | 2023-01-20 | jc21 NGINX Proxy Manager through 2.9.19 allows OS command injection. When creating an access list, the backend builds an htpasswd file with crafted username and/or password input that is concatenated... |
| CVE-2023-24021 | 2023-01-20 | Incorrect handling of '\0' bytes in file uploads in ModSecurity before 2.9.7 may allow for Web Application Firewall bypasses and buffer over-reads on the Web Application Firewall when executing rules... |
| CVE-2023-24025 | 2023-01-20 | CRYSTALS-DILITHIUM (in Post-Quantum Cryptography Selected Algorithms 2022) in PQClean d03da30 may allow universal forgeries of digital signatures via a template side-channel attack because of intermediate data leakage of one vector. |
| CVE-2023-24026 | 2023-01-20 | In MISP 2.4.167, app/webroot/js/event-graph.js has an XSS vulnerability via an event-graph preview payload. |
| CVE-2023-24027 | 2023-01-20 | In MISP 2.4.167, app/webroot/js/action_table.js allows XSS via a network history name. |
| CVE-2023-24028 | 2023-01-20 | In MISP 2.4.167, app/Controller/Component/ACLComponent.php has incorrect access control for the decaying import function. |
| CVE-2023-23691 | 2023-01-20 | Dell EMC PV ME5, versions ME5.1.0.0.0 and ME5.1.0.1.0, contains a Client-side desync Vulnerability. An unauthenticated attacker could potentially exploit this vulnerability to force a victim's browser to desynchronize its connection... |
| CVE-2022-40267 | 2023-01-20 | Authentication Bypass Vulnerability in Web Server Function on MELSEC Series |
| CVE-2021-39011 | 2023-01-20 | IBM Cloud Pak for Security information disclosure |
| CVE-2021-39089 | 2023-01-20 | IBM Cloud Pak for Security information disclosure |
| CVE-2023-22458 | 2023-01-20 | Integer overflow in multiple Redis commands can lead to denial-of-service |
| CVE-2022-35977 | 2023-01-20 | Integer overflow in certain command arguments can drive Redis to OOM panic |
| CVE-2022-41733 | 2023-01-20 | IBM InfoSphere Information Server denial of service |
| CVE-2022-1109 | 2023-01-20 | An incorrect default permissions vulnerability in Lenovo Leyun cloud music application could allow denial of service. |
| CVE-2023-23607 | 2023-01-20 | Unrestricted file upload leads to Remote Code Execution in erohtar/Dasherr |
| CVE-2023-22726 | 2023-01-20 | Unrestricted file upload leading to privilege escalation in act |
| CVE-2023-0052 | 2023-01-20 | SAUTER Controls Nova 200–220 Series Missing Authentication for Critical Function |
| CVE-2023-22742 | 2023-01-20 | libgit2 fails to verify SSH keys by default |
| CVE-2023-24040 | 2023-01-21 | dtprintinfo in Common Desktop Environment 1.6 has a bug in the parser of lpstat (an invoked external command) during listing of the names of available printers. This allows low-privileged local... |
| CVE-2020-36655 | 2023-01-21 | Yii Yii2 Gii before 2.2.2 allows remote attackers to execute arbitrary code via the Generator.php messageCategory field. The attacker can embed arbitrary PHP code into the model file. |
| CVE-2023-0433 | 2023-01-21 | Heap-based Buffer Overflow in vim/vim |
| CVE-2023-22617 | 2023-01-21 | A remote attacker might be able to cause infinite recursion in PowerDNS Recursor 4.8.0 via a DNS query that retrieves DS records for a misconfigured domain, because QName minimization is... |
| CVE-2023-24038 | 2023-01-21 | The HTML-StripScripts module through 1.06 for Perl allows _hss_attval_style ReDoS because of catastrophic backtracking for HTML content with certain style attributes. |
| CVE-2023-24039 | 2023-01-21 | A stack-based buffer overflow in ParseColors in libXm in Common Desktop Environment 1.6 can be exploited by local low-privileged users via the dtprintinfo setuid binary to escalate their privileges to... |
| CVE-2023-24042 | 2023-01-21 | A race condition in LightFTP through 2.2 allows an attacker to achieve path traversal via a malformed FTP request. A handler thread can use an overwritten context->FileName. |
| CVE-2023-22884 | 2023-01-21 | Apache Airflow, Apache Airflow MySQL Provider: Arbitrary file read via MySQL provider in Apache Airflow |
| CVE-2023-24055 | 2023-01-22 | KeePass through 2.53 (in a default installation) allows an attacker, who has write access to the XML configuration file, to obtain the cleartext passwords by adding an export trigger. NOTE:... |
| CVE-2023-0434 | 2023-01-22 | Improper Input Validation in pyload/pyload |
| CVE-2023-0435 | 2023-01-22 | Excessive Attack Surface in pyload/pyload |
| CVE-2023-24044 | 2023-01-22 | A Host Header Injection issue on the Login page of Plesk Obsidian through 18.0.49 allows attackers to redirect users to malicious websites via a Host request header. NOTE: the vendor's... |
| CVE-2023-24056 | 2023-01-22 | In pkgconf through 1.9.3, variable duplication can cause unbounded string expansion due to incorrect checks in libpkgconf/tuple.c:pkgconf_tuple_parse. For example, a .pc file containing a few hundred bytes can expand to... |
| CVE-2023-24058 | 2023-01-22 | Booked Scheduler 2.5.5 allows authenticated users to create and schedule events for any other user via a modified userId value to reservation_save.php. NOTE: 2.5.5 is a version from 2014; the... |
| CVE-2023-24059 | 2023-01-22 | Grand Theft Auto V for PC allows attackers to achieve partial remote code execution or modify files on a PC, as exploited in the wild in January 2023. |
| CVE-2022-47065 | 2023-01-23 | TrendNet Wireless AC Easy-Upgrader TEW-820AP v1.0R, firmware version 1.01.B01 was discovered to contain a stack overflow via the submit-url parameter at /formNewSchedule. This vulnerability allows attackers to execute arbitrary code... |
| CVE-2023-21775 | 2023-01-23 | Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability |
| CVE-2023-21795 | 2023-01-23 | Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability |
| CVE-2023-21796 | 2023-01-23 | Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability |
| CVE-2023-24068 | 2023-01-23 | Signal Desktop before 6.2.0 on Windows, Linux, and macOS allows an attacker to modify conversation attachments within the attachments.noindex directory. Client mechanisms fail to validate modifications of existing cached files,... |
| CVE-2023-24069 | 2023-01-23 | Signal Desktop before 6.2.0 on Windows, Linux, and macOS allows an attacker to obtain potentially sensitive attachments sent in messages from the attachments.noindex directory. Cached attachments are not effectively cleared.... |
| CVE-2023-24070 | 2023-01-23 | app/View/AuthKeys/authkey_display.ctp in MISP through 2.4.167 has an XSS in authkey add via a Referer field. |
| CVE-2023-24095 | 2023-01-23 | TrendNet Wireless AC Easy-Upgrader TEW-820AP v1.0R, firmware version 1.01.B01 was discovered to contain a stack overflow via the submit-url parameter at /formSystemCheck. This vulnerability allows attackers to execute arbitrary code... |
| CVE-2023-24099 | 2023-01-23 | TrendNet Wireless AC Easy-Upgrader TEW-820AP v1.0R, firmware version 1.01.B01 was discovered to contain a stack overflow via the username parameter at /formWizardPassword. This vulnerability allows attackers to execute arbitrary code... |
| CVE-2021-43444 | 2023-01-23 | ONLYOFFICE all versions as of 2021-11-08 is affected by Incorrect Access Control. Signed document download URLs can be forged due to a weak default URL signing key. |
| CVE-2021-43445 | 2023-01-23 | ONLYOFFICE all versions as of 2021-11-08 is affected by Incorrect Access Control. An attacker can authenticate with the web socket service of the ONLYOFFICE document editor which is protected by... |
| CVE-2021-43446 | 2023-01-23 | ONLYOFFICE all versions as of 2021-11-08 is vulnerable to Cross Site Scripting (XSS). The "macros" feature of the document editor allows malicious cross site scripting payloads to be used. |
| CVE-2021-43447 | 2023-01-23 | ONLYOFFICE all versions as of 2021-11-08 is affected by Incorrect Access Control. An authentication bypass in the document editor allows attackers to edit documents without authentication. |
| CVE-2021-43448 | 2023-01-23 | ONLYOFFICE all versions as of 2021-11-08 is vulnerable to Improper Input Validation. A lack of input validation can allow an attacker to spoof the names of users who interact with... |
| CVE-2021-43449 | 2023-01-23 | ONLYOFFICE all versions as of 2021-11-08 is vulnerable to Server-Side Request Forgery (SSRF). The document editor service can be abused to read and serve arbitrary URLs as a document. |
| CVE-2022-23005 | 2023-01-23 | Host Boot ROM Code Vulnerability in Systems Implementing UFS Boot Feature |
| CVE-2022-37718 | 2023-01-23 | The management portal component of JetNexus/EdgeNexus ADC 4.2.8 was discovered to contain a command injection vulnerability. This vulnerability allows authenticated attackers to execute arbitrary commands through a specially crafted payload.... |
| CVE-2022-37719 | 2023-01-23 | A Cross-Site Request Forgery (CSRF) in the management portal of JetNexus/EdgeNexus ADC 4.2.8 allows attackers to escalate privileges and execute arbitrary code via unspecified vectors. |
| CVE-2022-38725 | 2023-01-23 | An integer overflow in the RFC3164 parser in One Identity syslog-ng 3.0 through 3.37 allows remote attackers to cause a Denial of Service via crafted syslog input that is mishandled... |
| CVE-2022-40034 | 2023-01-23 | Cross-Site Scripting (XSS) vulnerability found in Rawchen blog-ssm v1.0 allows attackers to execute arbitrary code via the 'notifyInfo' parameter. |
| CVE-2022-41505 | 2023-01-23 | An access control issue on TP-LInk Tapo C200 V1 devices allows physically proximate attackers to obtain root access by connecting to the UART pins, interrupting the boot process, and setting... |
| CVE-2022-46639 | 2023-01-23 | A vulnerability in the descarga_etiqueta.php component of Correos Prestashop 1.7.x allows attackers to execute a directory traversal. |
| CVE-2022-46959 | 2023-01-23 | An issue in the component /admin/backups/work-dir of Sonic v1.0.4 allows attackers to execute a directory traversal. |
| CVE-2022-48281 | 2023-01-23 | processCropSelections in tools/tiffcrop.c in LibTIFF through 4.5.0 has a heap-based buffer overflow (e.g., "WRITE of size 307203") via a crafted TIFF image. |
| CVE-2023-0438 | 2023-01-23 | Cross-Site Request Forgery (CSRF) in modoboa/modoboa |
| CVE-2023-0440 | 2023-01-23 | Observable Discrepancy in healthchecks/healthchecks |
| CVE-2023-21719 | 2023-01-23 | Microsoft Edge (Chromium-based) Security Feature Bypass Vulnerability |
| CVE-2023-22630 | 2023-01-23 | IzyBat Orange casiers before 20221102_1 allows SQL Injection via a getCasier.php?taille= URI. |
| CVE-2023-22960 | 2023-01-23 | Lexmark products through 2023-01-10 have Improper Control of Interaction Frequency. |
| CVE-2023-23314 | 2023-01-23 | An arbitrary file upload vulnerability in the /api/upload component of zdir v3.2.0 allows attackers to execute arbitrary code via a crafted .ssh file. |
| CVE-2023-23560 | 2023-01-23 | In certain Lexmark products through 2023-01-12, SSRF can occur because of a lack of input validation. |
| CVE-2023-24096 | 2023-01-23 | TrendNet Wireless AC Easy-Upgrader TEW-820AP v1.0R, firmware version 1.01.B01 was discovered to contain a stack overflow via the newpass parameter at /formPasswordSetup. This vulnerability allows attackers to execute arbitrary code... |
| CVE-2023-24097 | 2023-01-23 | TrendNet Wireless AC Easy-Upgrader TEW-820AP v1.0R, firmware version 1.01.B01 was discovered to contain a stack overflow via the submit-url parameter at /formPasswordAuth. This vulnerability allows attackers to execute arbitrary code... |
| CVE-2023-24098 | 2023-01-23 | TrendNet Wireless AC Easy-Upgrader TEW-820AP v1.0R, firmware version 1.01.B01 was discovered to contain a stack overflow via the submit-url parameter at /formSysLog. This vulnerability allows attackers to execute arbitrary code... |
| CVE-2022-4832 | 2023-01-23 | Store Locator WordPress < 1.4.9 - Contributor+ Stored XSS via Shortcode |
| CVE-2022-4625 | 2023-01-23 | Login Logout Menu < 1.4.0 - Contributor+ Stored XSS in Shortcode |
| CVE-2022-4760 | 2023-01-23 | OneClick Chat to Order < 1.0.4.2 - Contributor+ Stored XSS via Shortcode |
| CVE-2022-4672 | 2023-01-23 | WordPress Simple Shopping Cart < 4.6.2 - Contributor+ Stored XSS via Shortcode |
| CVE-2022-4629 | 2023-01-23 | Product Slider for WooCommerce < 2.6.4 - Contributor+ Stored XSS in Shortcode |
| CVE-2022-4668 | 2023-01-23 | Easy Appointments < 3.11.2 - Contributor+ Stored XSS in Shortcode |
| CVE-2022-4716 | 2023-01-23 | WP Popups < 2.1.4.8 - Contributor+ Stored XSS |
| CVE-2022-4346 | 2023-01-23 | All In One WP Security & Firewall < 5.1.3 - Configuration Leak |
| CVE-2022-4307 | 2023-01-23 | Pardakht Delkhah < 2.9.3 - Unauthenticated Stored XSS |
| CVE-2021-24881 | 2023-01-23 | Passster < 3.5.5.9 - Protection Bypass & Arbitrary Post Access |
| CVE-2022-4673 | 2023-01-23 | Rate my Post – WP Rating System < 3.3.9 - Contributor+ Stored XSS via Shortcode |
| CVE-2022-4624 | 2023-01-23 | GS Logo Slider < 3.3.8 - Contributor+ Stored XSS in Shortcode |
| CVE-2022-4576 | 2023-01-23 | Easy Bootstrap Shortcode <= 4.5.4 - Contributor+ Stored XSS |
| CVE-2022-4746 | 2023-01-23 | FluentAuth < 1.0.2 - Bypass blocks by IP Spoofing |
| CVE-2022-4443 | 2023-01-23 | BruteBank - WP Security & Firewall < 1.9 - Settings Update via CSRF |
| CVE-2022-4475 | 2023-01-23 | Collapse-O-Matic < 1.8.3 - Contributor+ Stored XSS |
| CVE-2022-4789 | 2023-01-23 | WPZOOM Portfolio < 1.2.2 - Contributor+ Stored XSS via Shortcode |
| CVE-2022-4675 | 2023-01-23 | Mongoose Page Plugin < 1.9.0 - Contributor+ Stored XSS via Shortcode |
| CVE-2022-4570 | 2023-01-23 | Top 10 < 3.2.3 - Contributor+ Stored XSS |