CVE List - 2023 / May
Showing 1 - 100 of 2420 CVEs for May 2023 (Page 1 of 25)
| CVE ID | Date | Title |
|---|---|---|
| CVE-2023-22919 | 2023-05-01 | The post-authentication command injection vulnerability in the Zyxel NBG6604 firmware version V1.01(ABIR.0)C0 could allow an authenticated attacker to execute some OS commands remotely by sending a crafted HTTP request. |
| CVE-2023-22921 | 2023-05-01 | A cross-site scripting (XSS) vulnerability in the Zyxel NBG-418N v2 firmware versions prior to V1.00(AARP.14)C0 could allow a remote authenticated attacker with administrator privileges to store malicious scripts using a... |
| CVE-2023-22922 | 2023-05-01 | A buffer overflow vulnerability in the Zyxel NBG-418N v2 firmware versions prior to V1.00(AARP.14)C0 could allow a remote unauthenticated attacker to cause DoS conditions by sending crafted packets if Telnet... |
| CVE-2023-22923 | 2023-05-01 | A format string vulnerability in a binary of the Zyxel NBG-418N v2 firmware versions prior to V1.00(AARP.14)C0 could allow a remote authenticated attacker to cause denial-of-service (DoS) conditions on an... |
| CVE-2023-22924 | 2023-05-01 | A buffer overflow vulnerability in the Zyxel NBG-418N v2 firmware versions prior to V1.00(AARP.14)C0 could allow a remote authenticated attacker with administrator privileges to cause denial-of-service (DoS) conditions by executing... |
| CVE-2023-26987 | 2023-05-01 | An issue discovered in Konga 0.14.9 allows remote attackers to manipulate user accounts regardless of privilege via crafted POST request. |
| CVE-2023-27035 | 2023-05-01 | An issue discovered in Obsidian Canvas 1.1.9 allows remote attackers to send desktop notifications, record user audio and other unspecified impacts via embedded website on the canvas page. |
| CVE-2023-27108 | 2023-05-01 | An issue was discovered in KaiOS 3.0. The pre-installed Communications application exposes a Web Activity that returns the user's call log without origin or permission checks. An attacker can inject... |
| CVE-2023-29635 | 2023-05-01 | File upload vulnerability in Antabot White-Jotter v0.2.2, allows remote attackers to execute malicious code via the file parameter to function coversUpload. |
| CVE-2023-29636 | 2023-05-01 | Cross site scripting (XSS) vulnerability in ZHENFENG13 My-Blog, allows attackers to inject arbitrary web script or HTML via the "title" field in the "blog management" page due to the the... |
| CVE-2023-29637 | 2023-05-01 | Cross Site Scripting (XSS) vulnerability in Qbian61 forum-java, allows attackers to inject arbitrary web script or HTML via editing the article content in the "article editor" page. |
| CVE-2023-29638 | 2023-05-01 | Cross Site Scripting (XSS) vulnerability in WinterChenS my-site before commit 3f0423da6d5200c7a46e200da145c1f54ee18548, allows attackers to inject arbitrary web script or HTML via editing blog articles. |
| CVE-2023-29639 | 2023-05-01 | Cross site scripting (XSS) vulnerability in ZHENFENG13 My-Blog, allows attackers to inject arbitrary web script or HTML via editing an article in the "blog article" page due to the default... |
| CVE-2023-29641 | 2023-05-01 | Cross Site Scripting (XSS) vulnerability in pandao editor.md thru 1.5.0 allows attackers to inject arbitrary web script or HTML via crafted markdown text. |
| CVE-2023-29643 | 2023-05-01 | Cross Site Scripting (XSS) vulnerability in PerfreeBlog 3.1.2 allows attackers to execute arbitrary code via the Post function. |
| CVE-2023-29680 | 2023-05-01 | Cleartext Transmission in set-cookie:ecos_pw: Tenda N301 v6.0, Firmware v12.02.01.61_multi allows an authenticated attacker on the LAN or WLAN to intercept communications with the router and obtain the password. |
| CVE-2023-29681 | 2023-05-01 | Cleartext Transmission in cookie:ecos_pw: in Tenda N301 v6.0, firmware v12.03.01.06_pt allows an authenticated attacker on the LAN or WLAN to intercept communications with the router and obtain the password. |
| CVE-2023-30061 | 2023-05-01 | D-Link DIR-879 v105A1 is vulnerable to Authentication Bypass via phpcgi. |
| CVE-2023-30063 | 2023-05-01 | D-Link DIR-890L FW1.10 A1 is vulnerable to Authentication bypass. |
| CVE-2023-30639 | 2023-05-01 | Archer Platform 6.8 before 6.12 P6 HF1 (6.12.0.6.1) contains a stored XSS vulnerability. A remote authenticated malicious Archer user could potentially exploit this vulnerability to store malicious HTML or JavaScript... |
| CVE-2015-10105 | 2023-05-01 | IP Blacklist Cloud Plugin CSV File Import ip_blacklist_cloud.php valid_js_identifier path traversal |
| CVE-2018-25085 | 2023-05-01 | Responsive Menus Configuration Setting responsive_menus.module responsive_menus_admin_form_submit cross site scripting |
| CVE-2023-2236 | 2023-05-01 | Use-after-free in Linux kernel's Performance Events subsystem |
| CVE-2023-2235 | 2023-05-01 | Use-after-free in Linux kernel's Performance Events subsystem |
| CVE-2023-30859 | 2023-05-01 | Spigot Command Exploit in Triton |
| CVE-2023-0896 | 2023-05-01 | A default password was reported in Lenovo Smart Clock Essential with Alexa Built In that could allow unauthorized device access to an attacker with local network access. |
| CVE-2022-45802 | 2023-05-01 | Apache StreamPark (incubating): Upload any file to any directory |
| CVE-2023-28092 | 2023-05-01 | A potential security vulnerability has been identified in HPE ProLiant RL300 Gen11 Server. The vulnerability could result in the system being vulnerable to exploits by attackers with physical access inside... |
| CVE-2023-25492 | 2023-05-01 | A valid, authenticated user may be able to trigger a denial of service of the XCC web user interface or other undefined behavior through a format string injection vulnerability in... |
| CVE-2023-0683 | 2023-05-01 | A valid, authenticated XCC user with read only access may gain elevated privileges through a specifically crafted API call. |
| CVE-2022-4568 | 2023-05-01 | A directory permissions management vulnerability in Lenovo System Update may allow elevation of privileges. |
| CVE-2022-45801 | 2023-05-01 | Apache StreamPark (incubating): LDAP Injection Vulnerability |
| CVE-2022-48186 | 2023-05-01 | A certificate validation vulnerability exists in the Baiying Android application which could lead to information disclosure. |
| CVE-2022-46365 | 2023-05-01 | Apache StreamPark (incubating): Logic error causing any account reset |
| CVE-2023-2451 | 2023-05-01 | SourceCodester Online DJ Management System GET Parameter view_details.php sql injection |
| CVE-2023-22503 | 2023-05-01 | Affected versions of Atlassian Confluence Server and Data Center allow anonymous remote attackers to view the names of attachments and labels in a private Confluence space. This occurs via an... |
| CVE-2023-2197 | 2023-05-01 | Vault Enterprise Vulnerable to Padding Oracle Attacks When Using a CBC-based Encryption Mechanism with a HSM |
| CVE-2023-2247 | 2023-05-02 | In affected versions of Octopus Deploy it is possible to unmask variable secrets using the variable preview function |
| CVE-2023-29856 | 2023-05-02 | D-Link DIR-868L Hardware version A1, firmware version 1.12 is vulnerable to Buffer Overflow. The vulnerability is in scandir.sgi binary. |
| CVE-2023-30943 | 2023-05-02 | Moodle: tinymce loaders susceptible to arbitrary folder creation |
| CVE-2023-30944 | 2023-05-02 | Moodle: minor sql injection risk in external wiki method for listing pages |
| CVE-2022-30759 | 2023-05-02 | In Nokia One-NDS (aka Network Directory Server) through 20.9, some Sudo permissions can be exploited by some users to escalate to root privileges and execute arbitrary commands. |
| CVE-2022-47874 | 2023-05-02 | Improper Access Control in /tc/rpc in Jedox GmbH Jedox 2020.2.5 allows remote authenticated users to view details of database connections via class 'com.jedox.etl.mngr.Connections' and method 'getGlobalConnection'. |
| CVE-2022-47875 | 2023-05-02 | A Directory Traversal vulnerability in /be/erpc.php in Jedox GmbH Jedox 2020.2.5 allows remote authenticated users to execute arbitrary code. |
| CVE-2022-47876 | 2023-05-02 | The integrator in Jedox GmbH Jedox 2020.2.5 allows remote authenticated users to create Jobs to execute arbitrary code via Groovy-scripts. |
| CVE-2022-47877 | 2023-05-02 | A Stored cross-site scripting vulnerability in Jedox 2020.2.5 allows remote, authenticated users to inject arbitrary web script or HTML in the Logs page via the log module 'log'. |
| CVE-2022-47878 | 2023-05-02 | Incorrect input validation for the default-storage-path in the settings page in Jedox 2020.2.5 allows remote, authenticated users to specify the location as Webroot directory. Consecutive file uploads can lead to... |
| CVE-2022-48482 | 2023-05-02 | 3CX before 18 Update 2 Security Hotfix build 18.0.2.315 on Windows allows unauthenticated remote attackers to read certain files via /Electron/download directory traversal. Files may have credentials, full backups, call... |
| CVE-2022-48483 | 2023-05-02 | 3CX before 18 Hotfix 1 build 18.0.3.461 on Windows allows unauthenticated remote attackers to read %WINDIR%\system32 files via /Electron/download directory traversal in conjunction with a path component that has a... |
| CVE-2023-2479 | 2023-05-02 | OS Command Injection in appium/appium-desktop |
| CVE-2023-26089 | 2023-05-02 | European Chemicals Agency IUCLID 6.x before 6.27.6 allows authentication bypass because a weak hard-coded secret is used for JWT signing. The affected versions are 5.15.0 through 6.27.5. |
| CVE-2023-26546 | 2023-05-02 | European Chemicals Agency IUCLID before 6.27.6 allows remote authenticated users to execute arbitrary code via Server Side Template Injection (SSTI) with a crafted template file. The attacker must have template... |
| CVE-2023-27892 | 2023-05-02 | Insufficient length checks in the ShapeShift KeepKey hardware wallet firmware before 7.7.0 allow a global buffer overflow via crafted messages. Flaws in cf_confirmExecTx() in ethereum_contracts.c can be used to reveal... |
| CVE-2023-29772 | 2023-05-02 | A Cross-site scripting (XSS) vulnerability in the System Log/General Log page of the administrator web UI in ASUS RT-AC51U wireless router firmware version up to and including 3.0.0.4.380.8591 allows remote... |
| CVE-2023-29778 | 2023-05-02 | GL.iNET MT3000 4.1.0 Release 2 is vulnerable to OS Command Injection via /usr/lib/oui-httpd/rpc/logread. |
| CVE-2023-29867 | 2023-05-02 | Zammad 5.3.x (Fixed 5.4.0) is vulnerable to Incorrect Access Control. An authenticated attacker could gain information about linked accounts of users involved in their tickets using the Zammad API. |
| CVE-2023-29868 | 2023-05-02 | Zammad 5.3.x (Fixed in 5.4.0) is vulnerable to Incorrect Access Control. An authenticated attacker with agent and customer roles could perform unauthorized changes on articles where they only have customer... |
| CVE-2023-29918 | 2023-05-02 | RosarioSIS 10.8.4 is vulnerable to CSV injection via the Periods Module. |
| CVE-2023-30403 | 2023-05-02 | An issue in the time-based authentication mechanism of Aigital Aigital Wireless-N Repeater Mini_Router v0.131229 allows attackers to bypass login by connecting to the web app after a successful attempt by... |
| CVE-2023-31433 | 2023-05-02 | A SQL injection issue in Logbuch in evasys before 8.2 Build 2286 and 9.x before 9.0 Build 2401 allows authenticated attackers to execute SQL statements via the welche parameter. |
| CVE-2023-31434 | 2023-05-02 | The parameters nutzer_titel, nutzer_vn, and nutzer_nn in the user profile, and langID and ONLINEID in direct links, in evasys before 8.2 Build 2286 and 9.x before 9.0 Build 2401 do... |
| CVE-2023-31435 | 2023-05-02 | Multiple components (such as Onlinetemplate-Verwaltung, Liste aller Teilbereiche, Umfragen anzeigen, and questionnaire previews) in evasys before 8.2 Build 2286 and 9.x before 9.0 Build 2401 allow authenticated attackers to read... |
| CVE-2013-10026 | 2023-05-02 | Mail Subscribe List Plugin index.php cross site scripting |
| CVE-2014-125100 | 2023-05-02 | BestWebSoft Job Board Plugin cross site scripting |
| CVE-2022-25713 | 2023-05-02 | Improper Restriction of Operations within the Bounds of a Memory Buffer in Automotive |
| CVE-2022-33281 | 2023-05-02 | Improper validation of array index in computer vision. |
| CVE-2022-33292 | 2023-05-02 | Use after free in Qualcomm IPC |
| CVE-2022-33304 | 2023-05-02 | NULL pointers dereference in Modem |
| CVE-2022-33305 | 2023-05-02 | Null pointer dereference in Modem |
| CVE-2022-34144 | 2023-05-02 | Reachable assertion in Modem |
| CVE-2022-40505 | 2023-05-02 | Buffer over-read in Modem |
| CVE-2022-40508 | 2023-05-02 | Reachable assertion in Modem |
| CVE-2023-21642 | 2023-05-02 | Improper Access Control in HAB Memory Management |
| CVE-2023-21665 | 2023-05-02 | Incorrect Type Conversion or Cast in Graphics |
| CVE-2023-21666 | 2023-05-02 | Improper Release of Memory Before Removing Last Reference (`Memory Leak`) in Graphics |
| CVE-2023-0924 | 2023-05-02 | Zyrex Popup <= 1.0 - Admin+ Arbitrary File Upload |
| CVE-2023-1525 | 2023-05-02 | Site Reviews < 6.7.1 - Admin+ Stored XSS |
| CVE-2023-1861 | 2023-05-02 | Limit Login Attempts < 1.7.2 - Subscriber+ Stored XSS |
| CVE-2023-1554 | 2023-05-02 | Quick Paypal Payments < 5.7.26.4 - Admin+ Stored XSS |
| CVE-2023-1021 | 2023-05-02 | Amr Ical Events Lists <= 6.6 - Admin+ Stored XSS |
| CVE-2023-1125 | 2023-05-02 | Ruby Help Desk < 1.3.4 - Subscriber+ Ticket Update via IDOR |
| CVE-2023-1809 | 2023-05-02 | Download Manager Pro < 6.3.0 - Unauthenticated Sensitive Information Disclosure |
| CVE-2023-1805 | 2023-05-02 | Product Catalog Feed by PixelYourSite < 2.1.1 - Reflected XSS |
| CVE-2023-1669 | 2023-05-02 | SEOPress < 6.5.0.3 - Admin+ PHP Object Injection |
| CVE-2023-0891 | 2023-05-02 | Stagtools < 2.3.7 - Contributor+ Stored XSS |
| CVE-2023-1804 | 2023-05-02 | Product Catalog Feed by PixelYourSite < 2.1.1 - Reflected XSS |
| CVE-2023-1614 | 2023-05-02 | WP Custom Author URL < 1.0.5 - Admin+ Stored XSS |
| CVE-2023-1090 | 2023-05-02 | WP SMTP Mailing Queue < 2.0.1 - Admin+ Stored XSS |
| CVE-2023-1911 | 2023-05-02 | Blocksy Companion < 1.8.82 - Subscriber+ Draft Post Access |
| CVE-2023-1546 | 2023-05-02 | MyCryptoCheckout < 2.124 - Reflected XSS |
| CVE-2023-1730 | 2023-05-02 | SupportCandy < 3.1.5 - Unauthenticated SQLi |
| CVE-2022-33273 | 2023-05-02 | Buffer over-read in Trusted Execution Environment |
| CVE-2022-40504 | 2023-05-02 | Reachable assertion in Modem |
| CVE-2023-32007 | 2023-05-02 | Apache Spark: Shell command injection via Spark UI |
| CVE-2023-1196 | 2023-05-02 | Advanced Custom Fields - Contributor+ PHP Object Injection |
| CVE-2023-31207 | 2023-05-02 | Automation user secret logged to Apache access log |
| CVE-2023-2000 | 2023-05-02 | Unrestricted navigation due to unvalidated mattermost server redirection |
| CVE-2023-30869 | 2023-05-02 | WordPress Easy Digital Downloads Plugin 3.1-3.1.1.4.1 is vulnerable to Privilege Escalation |
| CVE-2023-23723 | 2023-05-02 | WordPress WordPress Email Marketing Plugin – WP Email Capture Plugin <= 3.9.3 is vulnerable to Cross Site Scripting (XSS) |
| CVE-2023-2473 | 2023-05-02 | Dreamer CMS Password Hash Calculation UserController.java updatePwd algorithmic complexity |