CVE List - 2023 / April
Showing 2001 - 2100 of 2302 CVEs for April 2023 (Page 21 of 24)
| CVE ID | Date | Title |
|---|---|---|
| CVE-2023-25479 | 2023-04-25 | WordPress Podlove Subscribe button Plugin <= 1.3.7 is vulnerable to Cross Site Scripting (XSS) |
| CVE-2023-2281 | 2023-04-25 | Archiving a team broadcasts unsanitized data over WebSockets |
| CVE-2023-28847 | 2023-04-25 | Nextcloud Server missing brute force protection for passwords of password protected share links |
| CVE-2023-25484 | 2023-04-25 | WordPress Simple Yearly Archive Plugin <= 2.1.8 is vulnerable to Cross Site Scripting (XSS) |
| CVE-2022-47608 | 2023-04-25 | WordPress Quick Contact Form Plugin <= 8.0.3.1 is vulnerable to Cross Site Scripting (XSS) |
| CVE-2023-29200 | 2023-04-25 | contao/core-bundle has path traversal vulnerability in the file manager |
| CVE-2023-30545 | 2023-04-25 | PrestaShop arbitrary file read vulnerability |
| CVE-2023-30838 | 2023-04-25 | PrestaShop vulnerable to possible XSS injection through Validate::isCleanHTML method |
| CVE-2023-2282 | 2023-04-25 | Improper access control in the Web Login listener in Devolutions Remote Desktop Manager 2023.1.22 and earlier on Windows allows an authenticated user to bypass administrator-enforced Web Login restrictions and gain... |
| CVE-2021-45071 | 2023-04-25 | Cross-site scripting (XSS) issue Odoo Community 15.0 and earlier and Odoo Enterprise 15.0 and earlier, allows remote attackers to inject arbitrary web script in the browser of a victim, via... |
| CVE-2021-23176 | 2023-04-25 | Improper access control in reporting engine of l10n_fr_fec module in Odoo Community 15.0 and earlier and Odoo Enterprise 15.0 and earlier allows remote authenticated users to extract accounting information via... |
| CVE-2021-45111 | 2023-04-25 | Improper access control in Odoo Community 15.0 and earlier and Odoo Enterprise 15.0 and earlier allows remote authenticated users to trigger the creation of demonstration data, including user accounts with... |
| CVE-2021-44476 | 2023-04-25 | A sandboxing issue in Odoo Community 15.0 and earlier and Odoo Enterprise 15.0 and earlier allows authenticated administrators to read local files on the server, including sensitive configuration files. |
| CVE-2021-44460 | 2023-04-25 | Improper access control in Odoo Community 13.0 and earlier and Odoo Enterprise 13.0 and earlier allows users with deactivated accounts to access the system with the deactivated account and any... |
| CVE-2021-44461 | 2023-04-25 | Cross-site scripting (XSS) issue in Accounting app of Odoo Enterprise 13.0 through 15.0, allows remote attackers who are able to control the contents of accounting journal entries to inject arbitrary... |
| CVE-2021-23166 | 2023-04-25 | A sandboxing issue in Odoo Community 15.0 and earlier and Odoo Enterprise 15.0 and earlier allows authenticated administrators to read and write local files on the server. |
| CVE-2021-23186 | 2023-04-25 | A sandboxing issue in Odoo Community 15.0 and earlier and Odoo Enterprise 15.0 and earlier allows authenticated administrators to access and modify database contents of other tenants, in a multi-tenant... |
| CVE-2021-23178 | 2023-04-25 | Improper access control in Odoo Community 15.0 and earlier and Odoo Enterprise 15.0 and earlier allows attackers to validate online payments with a tokenized payment method that belongs to another... |
| CVE-2021-44775 | 2023-04-25 | Cross-site scripting (XSS) issue in Website app of Odoo Community 15.0 and earlier and Odoo Enterprise 15.0 and earlier, allows remote attackers to inject arbitrary web script in the browser... |
| CVE-2021-44465 | 2023-04-25 | Improper access control in Odoo Community 13.0 and earlier and Odoo Enterprise 13.0 and earlier allows authenticated attackers to subscribe to receive future notifications and comments related to arbitrary business... |
| CVE-2021-26263 | 2023-04-25 | Cross-site scripting (XSS) issue in Discuss app of Odoo Community 14.0 through 15.0, and Odoo Enterprise 14.0 through 15.0, allows remote attackers to inject arbitrary web script in the browser... |
| CVE-2021-26947 | 2023-04-25 | Cross-site scripting (XSS) issue Odoo Community 15.0 and earlier and Odoo Enterprise 15.0 and earlier, allows remote attackers to inject arbitrary web script in the browser of a victim, via... |
| CVE-2021-44547 | 2023-04-25 | A sandboxing issue in Odoo Community 15.0 and Odoo Enterprise 15.0 allows authenticated administrators to executed arbitrary code, leading to privilege escalation. |
| CVE-2023-25485 | 2023-04-25 | WordPress JSON Content Importer Plugin <= 1.3.15 is vulnerable to Cross Site Scripting (XSS) |
| CVE-2021-23203 | 2023-04-25 | Improper access control in reporting engine of Odoo Community 14.0 through 15.0, and Odoo Enterprise 14.0 through 15.0, allows remote attackers to download PDF reports for arbitrary documents, via crafted... |
| CVE-2023-28086 | 2023-04-25 | An HPE OneView appliance dump may expose proxy credential settings |
| CVE-2023-25793 | 2023-04-25 | WordPress Link Juice Keeper Plugin <= 2.0.2 is vulnerable to Cross Site Scripting (XSS) |
| CVE-2023-28087 | 2023-04-25 | An HPE OneView appliance dump may expose OneView user accounts |
| CVE-2023-30839 | 2023-04-25 | PrestaShop vulnerable to SQL filter bypass leading to arbitrary write requests using "SQL Manager" |
| CVE-2023-28088 | 2023-04-25 | An HPE OneView appliance dump may expose SAN switch administrative credentials |
| CVE-2023-28089 | 2023-04-25 | An HPE OneView appliance dump may expose FTP credentials for c7000 Interconnect Modules |
| CVE-2023-28090 | 2023-04-25 | An HPE OneView appliance dump may expose SNMPv3 read credentials |
| CVE-2023-28084 | 2023-04-25 | HPE OneView and HPE OneView Global Dashboard appliance dumps may expose authentication tokens |
| CVE-2023-25461 | 2023-04-25 | WordPress Wp-Insert Plugin <= 2.5.0 is vulnerable to Cross Site Scripting (XSS) |
| CVE-2023-25652 | 2023-04-25 | "git apply --reject" partially-controlled arbitrary file write |
| CVE-2023-23995 | 2023-04-25 | WordPress TinyMCE Custom Styles Plugin <= 1.1.2 is vulnerable to Cross Site Scripting (XSS) |
| CVE-2023-23889 | 2023-04-25 | WordPress Quick Paypal Payments Plugin <= 5.7.25 is vulnerable to Cross Site Scripting (XSS) |
| CVE-2023-23866 | 2023-04-25 | WordPress Interactive Geo Maps Plugin <= 1.5.8 is vulnerable to Cross Site Scripting (XSS) |
| CVE-2023-23710 | 2023-04-25 | WordPress WordPress Social Login and Register (Discord, Google, Twitter, LinkedIn) plugin <= 7.5.14 is vulnerable to Cross Site Scripting (XSS) |
| CVE-2023-24005 | 2023-04-25 | WordPress Inline Tweet Sharer – Twitter Sharing Plugin Plugin <= 2.5.3 is vulnerable to Cross Site Scripting (XSS) |
| CVE-2023-25815 | 2023-04-25 | Git looks for localized messages in the wrong place |
| CVE-2023-29007 | 2023-04-25 | Arbitrary configuration injection via `git submodule deinit` |
| CVE-2023-29011 | 2023-04-25 | Git for Windows's config file of `connect.exe` is susceptible to malicious placing |
| CVE-2023-29012 | 2023-04-25 | Git CMD erroneously executes `doskey.exe` in the current directory, if it exists |
| CVE-2023-30609 | 2023-04-25 | matrix-react-sdk vulnerable to HTML injection in search results via plaintext message highlighting |
| CVE-2023-2293 | 2023-04-25 | SourceCodester Purchase Order Management System cross site scripting |
| CVE-2023-0045 | 2023-04-25 | Incorrect indirect branch prediction barrier in the Linux Kernel |
| CVE-2023-26930 | 2023-04-26 | Buffer Overflow vulnerability found in XPDF v.4.04 allows an attacker to cause a Denial of Service via the PDFDoc malloc in the pdftotext.cc function. NOTE: Vendor states “it's an expected... |
| CVE-2020-36070 | 2023-04-26 | Insecure Permission vulnerability found in Yoyager v.1.4 and before allows a remote attacker to execute arbitrary code via a crafted .php file to the media component. |
| CVE-2022-25273 | 2023-04-26 | Drupal core's form API has a vulnerability where certain contributed or custom modules' forms may be vulnerable to improper input validation. This could allow an attacker to inject disallowed values... |
| CVE-2022-25274 | 2023-04-26 | Drupal 9.3 implemented a generic entity access API for entity revisions. However, this API was not completely integrated with existing permissions, resulting in some possible access bypass for users who... |
| CVE-2022-25275 | 2023-04-26 | In some situations, the Image module does not correctly check access to image files not stored in the standard public files directory when generating derivative images using the image styles... |
| CVE-2022-25276 | 2023-04-26 | The Media oEmbed iframe route does not properly validate the iframe domain setting, which allows embeds to be displayed in the context of the primary domain. Under certain circumstances, this... |
| CVE-2022-25277 | 2023-04-26 | Drupal core sanitizes filenames with dangerous extensions upon upload (reference: SA-CORE-2020-012) and strips leading and trailing dots from filenames to prevent uploading server configuration files (reference: SA-CORE-2019-010). However, the protections... |
| CVE-2022-25278 | 2023-04-26 | Under certain circumstances, the Drupal core form API evaluates form element access incorrectly. This may lead to a user being able to alter data they should not have access to.... |
| CVE-2022-27978 | 2023-04-26 | Tooljet v1.6 does not properly handle missing values in the API, allowing attackers to arbitrarily reset passwords via a crafted HTTP request. |
| CVE-2022-27979 | 2023-04-26 | A cross-site scripting (XSS) vulnerability in ToolJet v1.6.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Comment Body component. |
| CVE-2022-39989 | 2023-04-26 | An issue was discovered in Fighting Cock Information System 1.0, which uses default credentials, but does not force nor prompt the administrators to change the credentials. |
| CVE-2022-44232 | 2023-04-26 | libming 0.4.8 0.4.8 is vulnerable to Buffer Overflow. In getInt() in decompile.c unknown type may lead to denial of service. This is a different vulnerability than CVE-2018-9132 and CVE-2018-20427. |
| CVE-2023-2291 | 2023-04-26 | Static credentials exist in the PostgreSQL data used in ManageEngine Access Manager Plus (AMP) build 4309, ManageEngine Password Manager Pro, and ManageEngine PAM360. These credentials could allow a malicious actor... |
| CVE-2023-2307 | 2023-04-26 | Cross-Site Request Forgery (CSRF) in builderio/qwik |
| CVE-2023-24796 | 2023-04-26 | Password vulnerability found in Vinga WR-AC1200 81.102.1.4370 and before allows a remote attacker to execute arbitrary code via the password parameter at the /goform/sysTools and /adm/systools.asp endpoints. |
| CVE-2023-26567 | 2023-04-26 | Sangoma FreePBX 1805 through 2302 (when obtained as a ,.ISO file) places AMPDBUSER, AMPDBPASS, AMPMGRUSER, and AMPMGRPASS in the list of global variables. This exposes cleartext authentication credentials for the... |
| CVE-2023-27107 | 2023-04-26 | Incorrect access control in the runReport function of MyQ Solution Print Server before 8.2 Patch 32 and Central Server before 8.2 Patch 22 allows users who do not have appropriate... |
| CVE-2023-29442 | 2023-04-26 | Zoho ManageEngine Applications Manager before 16400 allows proxy.html DOM XSS. |
| CVE-2023-29443 | 2023-04-26 | Zoho ManageEngine ServiceDesk Plus before 14105, ServiceDesk Plus MSP before 14200, SupportCenter Plus before 14200, and AssetExplorer before 6989 allow SDAdmin attackers to conduct XXE attacks via a crafted server... |
| CVE-2023-29596 | 2023-04-26 | Buffer Overflow vulnerability found in ByronKnoll Cmix v.19 allows an attacker to execute arbitrary code and cause a denial of service via the paq8 function. |
| CVE-2023-29835 | 2023-04-26 | Insecure Permission vulnerability found in Wondershare Dr.Fone v.12.9.6 allows a remote attacker to escalate privileges via the service permission function. |
| CVE-2023-29836 | 2023-04-26 | Cross Site Scripting vulnerability found in Exelysis Unified Communication Solutions (EUCS) v.1.0 allows a remote attacker to execute arbitrary code via the Username parameter of the eucsAdmin login form. |
| CVE-2023-30112 | 2023-04-26 | Medicine Tracker System in PHP 1.0.0 is vulnerable to SQL Injection. |
| CVE-2023-30210 | 2023-04-26 | OURPHP <= 7.2.0 is vulnerable to Cross Site Scripting (XSS) via ourphp_tz.php. |
| CVE-2023-30211 | 2023-04-26 | OURPHP <= 7.2.0 is vulnerable to SQL Injection. |
| CVE-2023-30212 | 2023-04-26 | OURPHP <= 7.2.0 is vulnerale to Cross Site Scripting (XSS) via /client/manage/ourphp_out.php. |
| CVE-2023-30265 | 2023-04-26 | CLTPHP <=6.0 is vulnerable to Directory Traversal. |
| CVE-2023-30266 | 2023-04-26 | CLTPHP <=6.0 is vulnerable to Unrestricted Upload of File with Dangerous Type. |
| CVE-2023-30267 | 2023-04-26 | CLTPHP <=6.0 is vulnerable to Cross Site Scripting (XSS) via application/home/controller/Changyan.php. |
| CVE-2023-30269 | 2023-04-26 | CLTPHP <=6.0 is vulnerable to Improper Input Validation via application/admin/controller/Template.php. |
| CVE-2023-30280 | 2023-04-26 | Buffer Overflow vulnerability found in Netgear R6900 v.1.0.2.26, R6700v3 v.1.0.4.128, R6700 v.1.0.0.26 allows a remote attacker to execute arbitrary code and cause a denial ofservice via the getInputData parameter of... |
| CVE-2023-30363 | 2023-04-26 | vConsole v3.15.0 was discovered to contain a prototype pollution due to incorrect key and value resolution in setOptions in core.ts. |
| CVE-2023-31250 | 2023-04-26 | Drupal core - Moderately critical - Access bypass - SA-CORE-2023-005 |
| CVE-2022-41739 | 2023-04-26 | IBM Spectrum Scale privilege escalation |
| CVE-2022-36769 | 2023-04-26 | IBM Cloud Pak for Data file upload |
| CVE-2023-2294 | 2023-04-26 | UCMS Column Configuration saddpost.php cross site scripting |
| CVE-2023-2273 | 2023-04-26 | Rapid7 Insight Agent Directory Traversal |
| CVE-2023-26286 | 2023-04-26 | IBM AIX privilege escalation |
| CVE-2023-29257 | 2023-04-26 | IBM Db2 code execution |
| CVE-2023-1387 | 2023-04-26 | Grafana is an open-source platform for monitoring and observability. Starting with the 9.1 branch, Grafana introduced the ability to search for a JWT in the URL query parameter auth_token and... |
| CVE-2023-22728 | 2023-04-26 | Silverstripe Framework has missing permission check of canView in GridFieldPrintButton |
| CVE-2023-22729 | 2023-04-26 | Silverstripe Framework has open redirect vulnerability on CMSSecurity relogin screen |
| CVE-2023-29268 | 2023-04-26 | TIBCO Spotfire Statistics Services Unrestricted File Upload Vulnerability |
| CVE-2023-0458 | 2023-04-26 | Spectre V1 Gadget in do_prlimit in the Linux Kernel |
| CVE-2023-30546 | 2023-04-26 | Contiki-NG has off-by-one error in Antelope DBMS |
| CVE-2023-30841 | 2023-04-26 | Ironic and ironic-inspector deployed within Baremetal Operator may expose as ConfigMaps |
| CVE-2023-27559 | 2023-04-26 | IBM Db2 denial of service |
| CVE-2023-28008 | 2023-04-26 | HCL Workload Automation is vulnerable to XML External Entity (XXE) Injection |
| CVE-2023-28009 | 2023-04-26 | HCL Workload Automation is vulnerable to XML External Entity (XXE) Injection |
| CVE-2022-45456 | 2023-04-26 | Denial of service due to unauthenticated API endpoint. The following products are affected: Acronis Agent (Windows, macOS, Linux) before build 30161. |
| CVE-2023-30843 | 2023-04-26 | Payload's hidden fields can be leaked on readable collections |
| CVE-2023-30845 | 2023-04-26 | ESPv2 vulnerable to JWT authentication bypass via `X-HTTP-Method-Override` header |
| CVE-2023-30846 | 2023-04-26 | typed-rest-client vulnerable to potential leak of authentication data to 3rd parties |