CVE List - 2023 / December
Showing 501 - 600 of 2673 CVEs for December 2023 (Page 6 of 27)
| CVE ID | Date | Title |
|---|---|---|
| CVE-2023-33413 | 2023-12-07 | The configuration functionality in the Intelligent Platform Management Interface (IPMI) baseboard management controller (BMC) implementation on Supermicro X11 and M11 based devices, with firmware versions through 3.17.02, allows remote authenticated... |
| CVE-2023-39909 | 2023-12-07 | Ericsson Network Manager before 23.2 mishandles Access Control and thus unauthenticated low-privilege users can access the NCM application. |
| CVE-2023-40238 | 2023-12-07 | A LogoFAIL issue was discovered in BmpDecoderDxe in Insyde InsydeH2O with kernel 5.2 before 05.28.47, 5.3 before 05.37.47, 5.4 before 05.45.47, 5.5 before 05.53.47, and 5.6 before 05.60.47 for certain... |
| CVE-2023-40300 | 2023-12-07 | NETSCOUT nGeniusPULSE 3.8 has a Hardcoded Cryptographic Key. |
| CVE-2023-40302 | 2023-12-07 | NETSCOUT nGeniusPULSE 3.8 has Weak File Permissions Vulnerability |
| CVE-2023-41106 | 2023-12-07 | An issue was discovered in Zimbra Collaboration (ZCS) before 10.0.3. An attacker can gain access to a Zimbra account. This is also fixed in 9.0.0 Patch 35 and 8.8.15 Patch... |
| CVE-2023-41168 | 2023-12-07 | NetScout nGeniusONE 6.3.4 build 2298 allows a Stored Cross-Site scripting vulnerability (issue 1 of 4). |
| CVE-2023-41169 | 2023-12-07 | NetScout nGeniusONE 6.3.4 build 2298 allows a Stored Cross-Site scripting vulnerability (issue 2 of 4). |
| CVE-2023-41170 | 2023-12-07 | NetScout nGeniusONE 6.3.4 build 2298 allows a Reflected Cross-Site scripting vulnerability. |
| CVE-2023-41171 | 2023-12-07 | NetScout nGeniusONE 6.3.4 build 2298 allows a Stored Cross-Site scripting vulnerability (issue 3 of 4). |
| CVE-2023-41172 | 2023-12-07 | NetScout nGeniusONE 6.3.4 build 2298 allows a Stored Cross-Site scripting vulnerability (issue 4 of 4). |
| CVE-2023-41905 | 2023-12-07 | NETSCOUT nGeniusONE 6.3.4 build 2298 allows a Reflected Cross-Site scripting (XSS) vulnerability by an authenticated user. |
| CVE-2023-43102 | 2023-12-07 | An issue was discovered in Zimbra Collaboration (ZCS) before 10.0.4. An XSS issue can be exploited to access the mailbox of an authenticated user. This is also fixed in 8.8.15... |
| CVE-2023-43103 | 2023-12-07 | An XSS issue was discovered in a web endpoint in Zimbra Collaboration (ZCS) before 10.0.4 via an unsanitized parameter. This is also fixed in 8.8.15 Patch 43 and 9.0.0 Patch... |
| CVE-2023-43298 | 2023-12-07 | An issue in SCOL Members Card mini-app on Line v13.6.1 allows attackers to send crafted malicious notifications via leakage of the channel access token. |
| CVE-2023-43299 | 2023-12-07 | An issue in DA BUTCHERS mini-app on Line v13.6.1 allows attackers to send crafted malicious notifications via leakage of the channel access token. |
| CVE-2023-43300 | 2023-12-07 | An issue in urban_project mini-app on Line v13.6.1 allows attackers to send crafted malicious notifications via leakage of the channel access token. |
| CVE-2023-43301 | 2023-12-07 | An issue in DARTS SHOP MAXIM mini-app on Line v13.6.1 allows attackers to send crafted malicious notifications via leakage of the channel access token. |
| CVE-2023-43302 | 2023-12-07 | An issue in sanTas mini-app on Line v13.6.1 allows attackers to send crafted malicious notifications via leakage of the channel access token. |
| CVE-2023-43303 | 2023-12-07 | An issue in craftbeer bar canvas mini-app on Line v13.6.1 allows attackers to send crafted malicious notifications via leakage of the channel access token. |
| CVE-2023-46693 | 2023-12-07 | Cross Site Scripting (XSS) vulnerability in FormaLMS before 4.0.5 allows attackers to run arbitrary code via title parameters. |
| CVE-2023-46857 | 2023-12-07 | Squidex before 7.9.0 allows XSS via an SVG document to the Upload Assets feature. This occurs because there is an incomplete blacklist in the SVG inspection, allowing JavaScript in the... |
| CVE-2023-46871 | 2023-12-07 | GPAC version 2.3-DEV-rev602-ged8424300-master in MP4Box contains a memory leak in NewSFDouble scenegraph/vrml_tools.c:300. This vulnerability may lead to a denial of service. |
| CVE-2023-46916 | 2023-12-07 | Maxima Max Pro Power 1.0 486A devices allow BLE traffic replay. An attacker can use GATT characteristic handle 0x0012 to perform potentially disruptive actions such as starting a Heart Rate... |
| CVE-2023-46974 | 2023-12-07 | Cross Site Scripting vulnerability in Best Courier Management System v.1.000 allows a remote attacker to execute arbitrary code via a crafted payload to the page parameter in the URL. |
| CVE-2023-47440 | 2023-12-07 | Gladys Assistant v4.27.0 and prior is vulnerable to Directory Traversal. The patch of CVE-2023-43256 was found to be incomplete, allowing authenticated attackers to extract sensitive files in the host machine. |
| CVE-2023-48172 | 2023-12-07 | A Cross Site Scripting (XSS) vulnerability in Shuttle Booking Software 2.0 allows a remote attacker to inject JavaScript via the name, description, title, or address parameter to index.php. |
| CVE-2023-48205 | 2023-12-07 | Jorani Leave Management System 1.0.2 allows a remote attacker to spoof a Host header associated with password reset emails. |
| CVE-2023-48206 | 2023-12-07 | A Cross Site Scripting (XSS) vulnerability in GaatiTrack Courier Management System 1.0 allows a remote attacker to inject JavaScript via the page parameter to login.php or header.php. |
| CVE-2023-48207 | 2023-12-07 | Availability Booking Calendar 5.0 allows CSV injection via the unique ID field in the Reservations list component. |
| CVE-2023-48208 | 2023-12-07 | A Cross Site Scripting vulnerability in Availability Booking Calendar 5.0 allows an attacker to inject JavaScript via the name, plugin_sms_api_key, plugin_sms_country_code, uuid, title, or country name parameter to index.php. |
| CVE-2023-48823 | 2023-12-07 | A Blind SQL injection issue in ajax.php in GaatiTrack Courier Management System 1.0 allows an unauthenticated attacker to inject a payload via the email parameter during login. |
| CVE-2023-48824 | 2023-12-07 | BoidCMS 2.0.1 is vulnerable to Multiple Stored Cross-Site Scripting (XSS) issues via the title, subtitle, footer, or keywords parameter in a page=create action. |
| CVE-2023-48825 | 2023-12-07 | Availability Booking Calendar 5.0 is vulnerable to Multiple HTML Injection issues via SMS API Key or Default Country Code. |
| CVE-2023-48826 | 2023-12-07 | Time Slots Booking Calendar 4.0 is vulnerable to CSV Injection via the unique ID field of the Reservations List. |
| CVE-2023-48827 | 2023-12-07 | Time Slots Booking Calendar 4.0 is vulnerable to Multiple HTML Injection issues via the name, plugin_sms_api_key, plugin_sms_country_code, calendar_id, title, country name, or customer_name parameter. |
| CVE-2023-48828 | 2023-12-07 | Time Slots Booking Calendar 4.0 is vulnerable to Multiple Stored Cross-Site Scripting (XSS) issues via the name, plugin_sms_api_key, plugin_sms_country_code, calendar_id, title, country name, or customer_name parameter. |
| CVE-2023-48830 | 2023-12-07 | Shuttle Booking Software 2.0 is vulnerable to CSV Injection in the Languages section via an export. |
| CVE-2023-48831 | 2023-12-07 | A lack of rate limiting in pjActionAJaxSend in Availability Booking Calendar 5.0 allows attackers to cause resource exhaustion. |
| CVE-2023-48833 | 2023-12-07 | A lack of rate limiting in pjActionAJaxSend in Time Slots Booking Calendar 4.0 allows attackers to cause resource exhaustion. |
| CVE-2023-48835 | 2023-12-07 | Car Rental Script v3.0 is vulnerable to CSV Injection via a Language > Labels > Export action. |
| CVE-2023-48836 | 2023-12-07 | Car Rental Script 3.0 is vulnerable to Multiple Stored Cross-Site Scripting (XSS) issues via the name, plugin_sms_api_key, plugin_sms_country_code, calendar_id, title, country name, or customer_name parameter. |
| CVE-2023-48837 | 2023-12-07 | Car Rental Script 3.0 is vulnerable to Multiple HTML Injection issues via SMS API Key or Default Country Code. |
| CVE-2023-48838 | 2023-12-07 | Appointment Scheduler 3.0 is vulnerable to Multiple HTML Injection issues via the SMS API Key or Default Country Code. |
| CVE-2023-48839 | 2023-12-07 | Appointment Scheduler 3.0 is vulnerable to Multiple Stored Cross-Site Scripting (XSS) issues via the name, plugin_sms_api_key, plugin_sms_country_code, calendar_id, title, country name, or customer_name parameter. |
| CVE-2023-48840 | 2023-12-07 | A lack of rate limiting in pjActionAjaxSend in Appointment Scheduler 3.0 allows attackers to cause resource exhaustion. |
| CVE-2023-48841 | 2023-12-07 | Appointment Scheduler 3.0 is vulnerable to CSV Injection via a Language > Labels > Export action. |
| CVE-2023-48860 | 2023-12-07 | TOTOLINK N300RT version 3.2.4-B20180730.0906 has a post-authentication RCE due to incorrect access control, allows attackers can bypass front-end security restrictions and execute arbitrary code. |
| CVE-2023-48861 | 2023-12-07 | DLL hijacking vulnerability in TTplayer version 7.0.2, allows local attackers to escalate privileges and execute arbitrary code via urlmon.dll. |
| CVE-2023-48958 | 2023-12-07 | gpac 2.3-DEV-rev617-g671976fcc-master contains memory leaks in gf_mpd_resolve_url media_tools/mpd.c:4589. |
| CVE-2023-49402 | 2023-12-07 | Tenda W30E V16.01.0.12(4843) was discovered to contain a stack overflow via the function localMsg. |
| CVE-2023-49403 | 2023-12-07 | Tenda W30E V16.01.0.12(4843) was discovered to contain a command injection vulnerability via the function setFixTools. |
| CVE-2023-49405 | 2023-12-07 | Tenda W30E V16.01.0.12(4843) was discovered to contain a stack overflow via the function UploadCfg. |
| CVE-2023-49406 | 2023-12-07 | Tenda W30E V16.01.0.12(4843) was discovered to contain a Command Execution vulnerability via the function /goform/telnet. |
| CVE-2023-49408 | 2023-12-07 | Tenda AX3 V16.03.12.11 was discovered to contain a stack overflow via the function set_device_name. |
| CVE-2023-49409 | 2023-12-07 | Tenda AX3 V16.03.12.11 was discovered to contain a Command Execution vulnerability via the function /goform/telnet. |
| CVE-2023-49410 | 2023-12-07 | Tenda W30E V16.01.0.12(4843) was discovered to contain a stack overflow via the function via the function set_wan_status. |
| CVE-2023-49411 | 2023-12-07 | Tenda W30E V16.01.0.12(4843) contains a stack overflow vulnerability via the function formDeleteMeshNode. |
| CVE-2023-49424 | 2023-12-07 | Tenda AX12 V22.03.01.46 was discovered to contain a stack overflow via the list parameter at /goform/SetVirtualServerCfg. |
| CVE-2023-49425 | 2023-12-07 | Tenda AX12 V22.03.01.46 was discovered to contain a stack overflow via the deviceList parameter at /goform/setMacFilterCfg . |
| CVE-2023-49426 | 2023-12-07 | Tenda AX12 V22.03.01.46 was discovered to contain a stack overflow via the list parameter at /goform/SetStaticRouteCfg. |
| CVE-2023-49428 | 2023-12-07 | Tenda AX12 V22.03.01.46 has been discovered to contain a command injection vulnerability in the 'mac' parameter at /goform/SetOnlineDevName. |
| CVE-2023-49429 | 2023-12-07 | Tenda AX9 V22.03.01.46 was discovered to contain a SQL command injection vulnerability in the 'setDeviceInfo' feature through the 'mac' parameter at /goform/setModules. |
| CVE-2023-49430 | 2023-12-07 | Tenda AX9 V22.03.01.46 has been found to contain a stack overflow vulnerability in the 'list' parameter at /goform/SetStaticRouteCfg. |
| CVE-2023-49431 | 2023-12-07 | Tenda AX9 V22.03.01.46 has been discovered to contain a command injection vulnerability in the 'mac' parameter at /goform/SetOnlineDevName. |
| CVE-2023-49432 | 2023-12-07 | Tenda AX9 V22.03.01.46 has been found to contain a stack overflow vulnerability in the 'deviceList' parameter at /goform/setMacFilterCfg. |
| CVE-2023-49433 | 2023-12-07 | Tenda AX9 V22.03.01.46 has been found to contain a stack overflow vulnerability in the 'list' parameter at /goform/SetVirtualServerCfg. |
| CVE-2023-49434 | 2023-12-07 | Tenda AX9 V22.03.01.46 has been found to contain a stack overflow vulnerability in the 'list' parameter at /goform/SetNetControlList. |
| CVE-2023-49435 | 2023-12-07 | Tenda AX9 V22.03.01.46 is vulnerable to command injection. |
| CVE-2023-49436 | 2023-12-07 | Tenda AX9 V22.03.01.46 has been discovered to contain a command injection vulnerability in the 'list' parameter at /goform/SetNetControlList. |
| CVE-2023-49460 | 2023-12-07 | libheif v1.17.5 was discovered to contain a segmentation violation via the function UncompressedImageCodec::decode_uncompressed_image. |
| CVE-2023-49462 | 2023-12-07 | libheif v1.17.5 was discovered to contain a segmentation violation via the component /libheif/exif.cc. |
| CVE-2023-49463 | 2023-12-07 | libheif v1.17.5 was discovered to contain a segmentation violation via the function find_exif_tag at /libheif/exif.cc. |
| CVE-2023-49464 | 2023-12-07 | libheif v1.17.5 was discovered to contain a segmentation violation via the function UncompressedImageCodec::get_luma_bits_per_pixel_from_configuration_unci. |
| CVE-2023-49465 | 2023-12-07 | Libde265 v1.0.14 was discovered to contain a heap-buffer-overflow vulnerability in the derive_spatial_luma_vector_prediction function at motion.cc. |
| CVE-2023-49467 | 2023-12-07 | Libde265 v1.0.14 was discovered to contain a heap-buffer-overflow vulnerability in the derive_combined_bipredictive_merging_candidates function at motion.cc. |
| CVE-2023-49468 | 2023-12-07 | Libde265 v1.0.14 was discovered to contain a global buffer overflow vulnerability in the read_coding_unit function at slice.cc. |
| CVE-2023-49492 | 2023-12-07 | DedeCMS v5.7.111 was discovered to contain a reflective cross-site scripting (XSS) vulnerability via the imgstick parameter at selectimages.php. |
| CVE-2023-49955 | 2023-12-07 | An issue was discovered in Dalmann OCPP.Core before 1.2.0 for OCPP (Open Charge Point Protocol) for electric vehicles. It does not validate the length of the chargePointVendor field in a... |
| CVE-2023-49956 | 2023-12-07 | An issue was discovered in Dalmann OCPP.Core before 1.3.0 for OCPP (Open Charge Point Protocol) for electric vehicles. A StopTransaction message with any random transactionId terminates active transactions. |
| CVE-2023-49957 | 2023-12-07 | An issue was discovered in Dalmann OCPP.Core before 1.3.0 for OCPP (Open Charge Point Protocol) for electric vehicles. It permits multiple transactions with the same connectorId and idTag, contrary to... |
| CVE-2023-49958 | 2023-12-07 | An issue was discovered in Dalmann OCPP.Core through 1.2.0 for OCPP (Open Charge Point Protocol) for electric vehicles. The server processes mishandle StartTransaction messages containing additional, arbitrary properties, or duplicate... |
| CVE-2023-49967 | 2023-12-07 | Typecho v1.2.1 was discovered to be vulnerable to an XML Quadratic Blowup attack via the component /index.php/action/xmlrpc. |
| CVE-2023-49999 | 2023-12-07 | Tenda W30E V16.01.0.12(4843) was discovered to contain a command injection vulnerability via the function setUmountUSBPartition. |
| CVE-2023-50000 | 2023-12-07 | Tenda W30E V16.01.0.12(4843) was discovered to contain a stack overflow via the function formResetMeshNode. |
| CVE-2023-50001 | 2023-12-07 | Tenda W30E V16.01.0.12(4843) was discovered to contain a stack overflow via the function formUpgradeMeshOnline. |
| CVE-2023-50002 | 2023-12-07 | Tenda W30E V16.01.0.12(4843) was discovered to contain a stack overflow via the function formRebootMeshNode. |
| CVE-2023-40301 | 2023-12-07 | NETSCOUT nGeniusPULSE 3.8 has a Command Injection Vulnerability. |
| CVE-2023-41913 | 2023-12-07 | strongSwan before 5.9.12 has a buffer overflow and possible unauthenticated remote code execution via a DH public value that exceeds the internal buffer in charon-tkm's DH proxy. The earliest affected... |
| CVE-2023-43304 | 2023-12-07 | An issue in PARK DANDAN mini-app on Line v13.6.1 allows attackers to send crafted malicious notifications via leakage of the channel access token. |
| CVE-2023-46307 | 2023-12-07 | An issue was discovered in server.js in etcd-browser 87ae63d75260. By supplying a /../../../ Directory Traversal input to the URL's GET request while connecting to the remote server port specified during... |
| CVE-2023-48834 | 2023-12-07 | A lack of rate limiting in pjActionAjaxSend in Car Rental v3.0 allows attackers to cause resource exhaustion. |
| CVE-2023-49404 | 2023-12-07 | Tenda W30E V16.01.0.12(4843) was discovered to contain a stack overflow via the function formAdvancedSetListSet. |
| CVE-2023-49437 | 2023-12-07 | Tenda AX12 V22.03.01.46 has been discovered to contain a command injection vulnerability in the 'list' parameter at /goform/SetNetControlList. |
| CVE-2023-49493 | 2023-12-07 | DedeCMS v5.7.111 was discovered to contain a reflective cross-site scripting (XSS) vulnerability via the v parameter at selectimages.php. |
| CVE-2023-6566 | 2023-12-07 | Business Logic Errors in microweber/microweber |
| CVE-2023-46218 | 2023-12-07 | This flaw allows a malicious HTTP server to set "super cookies" in curl that are then passed back to more origins than what is otherwise allowed or possible. This allows... |
| CVE-2023-5711 | 2023-12-07 | The System Dashboard plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the sd_php_info() function hooked via an AJAX action in all... |
| CVE-2023-5761 | 2023-12-07 | The Burst Statistics – Privacy-Friendly Analytics for WordPress plugin for WordPress is vulnerable to SQL Injection via the 'url' parameter in versions 1.4.0 to 1.4.6.1 (free) and versions 1.4.0 to... |
| CVE-2023-5714 | 2023-12-07 | The System Dashboard plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the sd_db_specs() function hooked via an AJAX action in all... |