CVE List - 2023 / December
Showing 2301 - 2400 of 2673 CVEs for December 2023 (Page 24 of 27)
| CVE ID | Date | Title |
|---|---|---|
| CVE-2023-50339 | 2023-12-26 | Stored cross-site scripting vulnerability exists in the User Management (/admin/users) page of GROWI versions prior to v6.1.11. If this vulnerability is exploited, an arbitrary script may be executed on the... |
| CVE-2023-45737 | 2023-12-26 | Stored cross-site scripting vulnerability exists in the App Settings (/admin/app) page and the Markdown Settings (/admin/markdown) page of GROWI versions prior to v3.5.0. If this vulnerability is exploited, an arbitrary... |
| CVE-2023-45740 | 2023-12-26 | Stored cross-site scripting vulnerability when processing profile images exists in GROWI versions prior to v4.1.3. If this vulnerability is exploited, an arbitrary script may be executed on the web browser... |
| CVE-2023-46699 | 2023-12-26 | Cross-site request forgery (CSRF) vulnerability exists in the User settings (/me) page of GROWI versions prior to v6.0.0. If a user views a malicious page while logging in, settings may... |
| CVE-2023-47215 | 2023-12-26 | Stored cross-site scripting vulnerability which is exploiting a behavior of the XSS Filter exists in GROWI versions prior to v6.0.0. If this vulnerability is exploited, an arbitrary script may be... |
| CVE-2023-49119 | 2023-12-26 | Stored cross-site scripting vulnerability via the img tags exists in GROWI versions prior to v6.0.0. If this vulnerability is exploited, an arbitrary script may be executed on the web browser... |
| CVE-2023-49598 | 2023-12-26 | Stored cross-site scripting vulnerability exists in the event handlers of the pre tags in GROWI versions prior to v6.0.0. If this vulnerability is exploited, an arbitrary script may be executed... |
| CVE-2023-49779 | 2023-12-26 | Stored cross-site scripting vulnerability exists in the anchor tag of GROWI versions prior to v6.0.0. If this vulnerability is exploited, an arbitrary script may be executed on the web browser... |
| CVE-2023-49807 | 2023-12-26 | Stored cross-site scripting vulnerability when processing the MathJax exists in GROWI versions prior to v6.0.0. If this vulnerability is exploited, an arbitrary script may be executed on the web browser... |
| CVE-2023-50175 | 2023-12-26 | Stored cross-site scripting vulnerability exists in the App Settings (/admin/app) page, the Markdown Settings (/admin/markdown) page, and the Customize (/admin/customize) page of GROWI versions prior to v6.0.0. If this vulnerability... |
| CVE-2023-50294 | 2023-12-26 | The App Settings (/admin/app) page in GROWI versions prior to v6.0.6 stores sensitive information in cleartext form. As a result, the Secret access key for external service may be obtained... |
| CVE-2023-50332 | 2023-12-26 | Improper authorization vulnerability exists in the User Management (/admin/users) page of GROWI versions prior to v6.0.6. If this vulnerability is exploited, a user may delete or suspend its own account... |
| CVE-2023-42436 | 2023-12-26 | Stored cross-site scripting vulnerability exists in the presentation feature of GROWI versions prior to v3.4.0. If this vulnerability is exploited, an arbitrary script may be executed on the web browser... |
| CVE-2023-45741 | 2023-12-26 | VR-S1000 firmware Ver. 2.37 and earlier allows an attacker with access to the product's web management page to execute arbitrary OS commands. |
| CVE-2023-46681 | 2023-12-26 | Improper neutralization of argument delimiters in a command ('Argument Injection') vulnerability in VR-S1000 firmware Ver. 2.37 and earlier allows an authenticated attacker who can access to the product's command line... |
| CVE-2023-46711 | 2023-12-26 | VR-S1000 firmware Ver. 2.37 and earlier uses a hard-coded cryptographic key which may allow an attacker to analyze the password of a specific product user. |
| CVE-2023-51363 | 2023-12-26 | VR-S1000 firmware Ver. 2.37 and earlier allows a network-adjacent unauthenticated attacker who can access the product's web management page to obtain sensitive information. |
| CVE-2023-5180 | 2023-12-26 | Out-of-bounds Write vulnerability exists in ODA Drawings SDK before 2024.12 |
| CVE-2012-10017 | 2023-12-26 | BestWebSoft Portfolio Plugin cross-site request forgery |
| CVE-2023-50968 | 2023-12-26 | Apache OFBiz: Arbitrary file properties reading and SSRF attack |
| CVE-2023-51467 | 2023-12-26 | Apache OFBiz: Pre-authentication Remote Code Execution (RCE) vulnerability |
| CVE-2014-125109 | 2023-12-26 | BestWebSoft Portfolio Plugin bws_menu.php bws_add_menu_render cross site scripting |
| CVE-2015-10127 | 2023-12-26 | PlusCaptcha Plugin cross site scripting |
| CVE-2023-5931 | 2023-12-26 | rtMedia for WordPress, BuddyPress and bbPress < 4.6.16 - Subscriber+ RCE |
| CVE-2023-6166 | 2023-12-26 | Quiz Maker < 6.4.9.5 - Reflected Cross-Site Scripting |
| CVE-2023-5674 | 2023-12-26 | WP Mail Log < 1.1.3 – Contributor+ SQL Injection in wml_logs/send_mail endpoint |
| CVE-2023-5673 | 2023-12-26 | WP Mail Log < 1.1.3 – Contributor+ Arbitrary File Upload to RCE |
| CVE-2023-6268 | 2023-12-26 | JSON Content Importer < 1.5.4 - Reflected XSS |
| CVE-2023-5645 | 2023-12-26 | WP Mail Log < 1.1.3 – Contributor+ SQL Injection in wml_logs endpoint |
| CVE-2023-5203 | 2023-12-26 | WP Sessions Time Monitoring Full Automatic < 1.0.9 - Unauthenticated SQL injection |
| CVE-2023-5644 | 2023-12-26 | WP Mail Log < 1.1.3 – Incorrect Authorization in REST API Endpoints |
| CVE-2023-5672 | 2023-12-26 | WP Mail Log < 1.1.3 – Contributor+ LFI in wml_logs/send_mail endpoint |
| CVE-2023-5939 | 2023-12-26 | rtMedia for WordPress, BuddyPress and bbPress < 4.6.16 - Admin+ RCE |
| CVE-2023-6250 | 2023-12-26 | BestWebSoft's Like & Share < 2.74 - Unauthenticated Password Protected Post Read |
| CVE-2023-6155 | 2023-12-26 | Quiz Maker < 6.4.9.5 - Unauthenticated Email Address Disclosure |
| CVE-2023-6114 | 2023-12-26 | Duplicator < 1.5.7.1; Duplicator Pro < 4.5.14.2 - Unauthenticated Sensitive Data Exposure |
| CVE-2023-5980 | 2023-12-26 | BSK Forms Blacklist < 3.7 - Admin+ Stored Cross-Site Scripting |
| CVE-2023-5991 | 2023-12-26 | Hotel Booking Lite < 4.8.5 - Unauthenticated Arbitrary File Download & Deletion |
| CVE-2023-40038 | 2023-12-27 | Arris DG860A and DG1670A devices have predictable default WPA2 PSKs that could lead to unauthorized remote access. (They use the first 6 characters of the SSID and the last 6... |
| CVE-2023-43481 | 2023-12-27 | An issue in Shenzhen TCL Browser TV Web BrowseHere (aka com.tcl.browser) 6.65.022_dab24cc6_231221_gp allows a remote attacker to execute arbitrary JavaScript code via the com.tcl.browser.portal.browse.activity.BrowsePageActivity component. |
| CVE-2023-43955 | 2023-12-27 | The com.phlox.tvwebbrowser TV Bro application through 2.0.0 for Android mishandles external intents through WebView. This allows attackers to execute arbitrary code, create arbitrary files. and perform arbitrary downloads via JavaScript... |
| CVE-2023-46918 | 2023-12-27 | Phlox com.phlox.simpleserver.plus (aka Simple HTTP Server PLUS) 1.8.1-plus has an Android manifest file that contains an entry with the android:allowBackup attribute set to true. This could be leveraged by an... |
| CVE-2023-46919 | 2023-12-27 | Phlox com.phlox.simpleserver (aka Simple HTTP Server) 1.8 and com.phlox.simpleserver.plus (aka Simple HTTP Server PLUS) 1.8.1-plus have a hardcoded aKySWb2jjrr4dzkYXczKRt7K (AES) encryption key. An attacker with physical access to the application's... |
| CVE-2023-47882 | 2023-12-27 | The Kami Vision YI IoT com.yunyi.smartcamera application through 4.1.9_20231127 for Android allows a remote attacker to execute arbitrary JavaScript code via an implicit intent to the com.ants360.yicamera.activity.WebViewActivity component. |
| CVE-2023-47883 | 2023-12-27 | The com.altamirano.fabricio.tvbrowser TV browser application through 4.5.1 for Android is vulnerable to JavaScript code execution via an explicit intent due to an exposed MainActivity. |
| CVE-2023-49000 | 2023-12-27 | An issue in ArtistScope ArtisBrowser v.34.1.5 and before allows an attacker to bypass intended access restrictions via interaction with the com.artis.browser.IntentReceiverActivity component. NOTE: this is disputed by the vendor, who... |
| CVE-2023-49001 | 2023-12-27 | An issue in Indi Browser (aka kvbrowser) v.12.11.23 allows an attacker to bypass intended access restrictions via interaction with the com.example.gurry.kvbrowswer.webview component. |
| CVE-2023-49002 | 2023-12-27 | An issue in Xenom Technologies (sinous) Phone Dialer-voice Call Dialer v.1.2.5 allows an attacker to bypass intended access restrictions via interaction with com.funprime.calldialer.ui.activities.OutgoingActivity. |
| CVE-2023-49003 | 2023-12-27 | An issue in simplemobiletools Simple Dialer 5.18.1 allows an attacker to bypass intended access restrictions via interaction with com.simplemobiletools.dialer.activities.DialerActivity. |
| CVE-2023-51074 | 2023-12-27 | json-path v2.8.0 was discovered to contain a stack overflow via the Criteria.parse() method. |
| CVE-2023-51079 | 2023-12-27 | A long execution time can occur in the ParseTools.subCompileExpression method in MVEL 2.5.0.Final because of many Java class lookups. NOTE: the vendor disputes this because "the only thing that you... |
| CVE-2023-51080 | 2023-12-27 | The NumberUtil.toBigDecimal method in hutool-core v5.8.23 was discovered to contain a stack overflow. |
| CVE-2023-51084 | 2023-12-27 | hyavijava v6.0.07.1 was discovered to contain a stack overflow via the ResultConverter.convert2Xml method. |
| CVE-2023-51075 | 2023-12-27 | hutool-core v5.8.23 was discovered to contain an infinite loop in the StrSplitter.splitByRegex function. This vulnerability allows attackers to cause a Denial of Service (DoS) via manipulation of the first two... |
| CVE-2023-6190 | 2023-12-27 | Authenicated Path Traversal in İzmir Katip Çelebi University |
| CVE-2023-7116 | 2023-12-27 | WeiYe-Jing datax-web HTTP POST Request killJob os command injection |
| CVE-2023-4641 | 2023-12-27 | Shadow-utils: possible password leak during passwd(1) change |
| CVE-2023-3171 | 2023-12-27 | Eap-7: heap exhaustion via deserialization |
| CVE-2023-50255 | 2023-12-27 | Zip Path Traversal in Deepin-Compressor |
| CVE-2023-51443 | 2023-12-27 | FreeSWITCH susceptible to Denial of Service via DTLS Hello packets during call initiation |
| CVE-2023-51664 | 2023-12-27 | tj-actions/changed-files command injection in output filenames |
| CVE-2023-51697 | 2023-12-27 | Audiobookshelf vulnerable to Blind SSRF in `podcastUtils.js` |
| CVE-2023-51665 | 2023-12-27 | Audiobookshelf vulnerable to Blind SSRF in `Auth.js` |
| CVE-2023-51700 | 2023-12-27 | WP-Mobile-BankID-Integration WordPress Database Deserialization: Potential for Object Injection |
| CVE-2023-52077 | 2023-12-27 | External apps using tokens issued by administrators and moderators can call admin APIs |
| CVE-2023-52075 | 2023-12-27 | ReVanced API vulnerable to Denial of Service due to lack of error caching |
| CVE-2023-6879 | 2023-12-27 | heap buffer overflow in libaom |
| CVE-2023-7123 | 2023-12-27 | SourceCodester Medicine Tracking System sql injection |
| CVE-2023-46987 | 2023-12-28 | SeaCMS v12.9 was discovered to contain a remote code execution (RCE) vulnerability via the component /augap/adminip.php. |
| CVE-2023-46989 | 2023-12-28 | SQL Injection vulnerability in the Innovadeluxe Quick Order module for PrestaShop before v.1.4.0, allows local attackers to execute arbitrary code via the getProducts() function in the productlist.php file. |
| CVE-2023-49228 | 2023-12-28 | An issue was discovered in Peplink Balance Two before 8.4.0. Console port authentication uses hard-coded credentials, which allows an attacker with physical access and sufficient knowledge to execute arbitrary commands... |
| CVE-2023-49229 | 2023-12-28 | An issue was discovered in Peplink Balance Two before 8.4.0. A missing authorization check in the administration web service allows read-only, unprivileged users to obtain sensitive information about the device... |
| CVE-2023-49230 | 2023-12-28 | An issue was discovered in Peplink Balance Two before 8.4.0. A missing authorization check in captive portals allows attackers to modify the portals' configurations without prior authentication. |
| CVE-2023-49469 | 2023-12-28 | Reflected Cross Site Scripting (XSS) vulnerability in Shaarli v0.12.2, allows remote attackers to execute arbitrary code via search tag function. |
| CVE-2023-50038 | 2023-12-28 | There is an arbitrary file upload vulnerability in the background of textpattern cms v4.8.8, which leads to the loss of server permissions. |
| CVE-2023-50104 | 2023-12-28 | ZZCMS 2023 has a file upload vulnerability in 3/E_bak5.1/upload/index.php, allowing attackers to exploit this loophole to gain server privileges and execute arbitrary code. |
| CVE-2023-50445 | 2023-12-28 | Shell Injection vulnerability GL.iNet A1300 v4.4.6, AX1800 v4.4.6, AXT1800 v4.4.6, MT3000 v4.4.6, MT2500 v4.4.6, MT6000 v4.5.0, MT1300 v4.3.7, MT300N-V2 v4.3.7, AR750S v4.3.7, AR750 v4.3.7, AR300M v4.3.7, and B1300 v4.3.7., allows... |
| CVE-2023-50448 | 2023-12-28 | In ActiveAdmin (aka Active Admin) before 2.12.0, a concurrency issue allows a malicious actor to access potentially private data (that belongs to another user) by making CSV export requests at... |
| CVE-2023-50470 | 2023-12-28 | A cross-site scripting (XSS) vulnerability in the component admin_ Video.php of SeaCMS v12.8 allows attackers to execute arbitrary web scripts or HTML via a crafted payload. |
| CVE-2023-51006 | 2023-12-28 | An issue in the openFile method of Chinese Perpetual Calendar v9.0.0 allows attackers to read any file via unspecified vectors. |
| CVE-2023-51010 | 2023-12-28 | An issue in the export component AdSdkH5Activity of com.sdjictec.qdmetro v4.2.2 allows attackers to open a crafted URL without any filtering or checking. |
| CVE-2023-52152 | 2023-12-28 | mupnp/net/uri.c in mUPnP for C through 3.0.2 has an out-of-bounds read and application crash because it lacks a certain host length recalculation. |
| CVE-2023-34829 | 2023-12-28 | Incorrect access control in TP-Link Tapo before v3.1.315 allows attackers to access user credentials in plaintext. |
| CVE-2023-50692 | 2023-12-28 | File Upload vulnerability in JIZHICMS v.2.5, allows remote attacker to execute arbitrary code via a crafted file uploaded and downloaded to the download_url parameter in the app/admin/exts/ directory. |
| CVE-2023-7124 | 2023-12-28 | code-projects E-Commerce Site search.php cross site scripting |
| CVE-2023-45701 | 2023-12-28 | HCL Launch is susceptible to sensitive information disclosure |
| CVE-2023-45702 | 2023-12-28 | HCL Launch Agent as a Windows service is vulnerable to a Denial of Service |
| CVE-2023-4671 | 2023-12-28 | SQLi in Talent Soft's ECOP |
| CVE-2023-4672 | 2023-12-28 | XSS in Talent Soft's ECOP |
| CVE-2023-51501 | 2023-12-28 | WordPress Uncode Core Plugin <= 2.8.6 is vulnerable to Cross Site Scripting (XSS) |
| CVE-2023-50874 | 2023-12-28 | WordPress Ajax Load More Plugin <= 6.1.0.1 is vulnerable to Cross Site Scripting (XSS) |
| CVE-2023-50860 | 2023-12-28 | WordPress Amelia Plugin <= 1.0.85 is vulnerable to Cross Site Scripting (XSS) |
| CVE-2023-50859 | 2023-12-28 | WordPress WP Crowdfunding Plugin <= 2.1.6 is vulnerable to Cross Site Scripting (XSS) |
| CVE-2023-50836 | 2023-12-28 | WordPress HTML Forms Plugin <= 1.3.28 is vulnerable to Cross Site Scripting (XSS) |
| CVE-2023-50873 | 2023-12-28 | WordPress Add Any Extension to Pages Plugin <= 1.4 is vulnerable to Cross Site Request Forgery (CSRF) |
| CVE-2023-50858 | 2023-12-28 | WordPress Anti Hacker Plugin <= 4.34 is vulnerable to Cross Site Request Forgery (CSRF) |
| CVE-2023-36381 | 2023-12-28 | WordPress Zippy Plugin <= 1.6.5 is vulnerable to PHP Object Injection |
| CVE-2023-32795 | 2023-12-28 | WordPress WooCommerce Product Add-ons Plugin <= 6.1.3 is vulnerable to PHP Object Injection |
| CVE-2023-32513 | 2023-12-28 | WordPress GiveWP Plugin <= 2.25.3 is vulnerable to PHP Object Injection |
| CVE-2023-27447 | 2023-12-28 | WordPress WP SMS Plugin <= 6.0.4 is vulnerable to Sensitive Data Exposure |