Total
210374 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-25657 | 1 Networktocode | 1 Nautobot | 2023-03-02 | N/A | 9.8 CRITICAL |
| Nautobot is a Network Source of Truth and Network Automation Platform. All users of Nautobot versions earlier than 1.5.7 are impacted by a remote code execution vulnerability. Nautobot did not properly sandbox Jinja2 template rendering. In Nautobot 1.5.7 has enabled sandboxed environments for the Jinja2 template engine used internally for template rendering for the following objects: `extras.ComputedField`, `extras.CustomLink`, `extras.ExportTemplate`, `extras.Secret`, `extras.Webhook`. While no active exploits of this vulnerability are known this change has been made as a preventative measure to protect against any potential remote code execution attacks utilizing maliciously crafted template code. This change forces the Jinja2 template engine to use a `SandboxedEnvironment` on all new installations of Nautobot. This addresses any potential unsafe code execution everywhere the helper function `nautobot.utilities.utils.render_jinja2` is called. Additionally, the documentation that had previously suggesting the direct use of `jinja2.Template` has been revised to suggest `render_jinja2`. Users are advised to upgrade to Nautobot 1.5.7 or newer. For users that are unable to upgrade to the latest release of Nautobot, you may add the following setting to your `nautobot_config.py` to apply the sandbox environment enforcement: `TEMPLATES[1]["OPTIONS"]["environment"] = "jinja2.sandbox.SandboxedEnvironment"` After applying this change, you must restart all Nautobot services, including any Celery worker processes. **Note:** *Nautobot specifies two template engines by default, the first being “django” for the Django built-in template engine, and the second being “jinja” for the Jinja2 template engine. This recommended setting will update the second item in the list of template engines, which is the Jinja2 engine.* For users that are unable to immediately update their configuration such as if a Nautobot service restart is too disruptive to operations, access to provide custom Jinja2 template values may be mitigated using permissions to restrict “change” (write) actions to the affected object types listed in the first section. **Note:** *This solution is intended to be stopgap until you can successfully update your `nautobot_config.py` or upgrade your Nautobot instance to apply the sandboxed environment enforcement.* | |||||
| CVE-2022-41128 | 1 Microsoft | 9 Windows 10, Windows 11, Windows 7 and 6 more | 2023-03-02 | N/A | 8.8 HIGH |
| Windows Scripting Languages Remote Code Execution Vulnerability. This CVE ID is unique from CVE-2022-41118. | |||||
| CVE-2022-41082 | 1 Microsoft | 1 Exchange Server | 2023-03-02 | N/A | 8.8 HIGH |
| Microsoft Exchange Server Remote Code Execution Vulnerability. | |||||
| CVE-2022-41040 | 1 Microsoft | 1 Exchange Server | 2023-03-02 | N/A | 8.8 HIGH |
| Microsoft Exchange Server Elevation of Privilege Vulnerability. | |||||
| CVE-2023-25810 | 1 Uptime-kuma Project | 1 Uptime-kuma | 2023-03-02 | N/A | 5.4 MEDIUM |
| Uptime Kuma is a self-hosted monitoring tool. In versions prior to 1.20.0 the Uptime Kuma status page allows a persistent XSS attack. Users are advised to upgrade. There are no known workarounds for this vulnerability. | |||||
| CVE-2022-41217 | 1 Hybridsoftware | 1 Cloudflow | 2023-03-02 | N/A | 9.8 CRITICAL |
| Cloudflow contains a unauthenticated file upload vulnerability, which makes it possible for an attacker to upload malicious files to the CLOUDFLOW PROOFSCOPE built-in storage. | |||||
| CVE-2022-41216 | 1 Hybridsoftware | 1 Cloudflow | 2023-03-02 | N/A | 8.8 HIGH |
| Local File Inclusion vulnerability within Cloudflow allows attackers to retrieve confidential information from the system. | |||||
| CVE-2023-0949 | 1 Modoboa | 1 Modoboa | 2023-03-02 | N/A | 4.8 MEDIUM |
| Cross-site Scripting (XSS) - Reflected in GitHub repository modoboa/modoboa prior to 2.0.5. | |||||
| CVE-2023-26314 | 2 Debian, Mono-project | 2 Debian Linux, Mono | 2023-03-02 | N/A | 8.8 HIGH |
| The mono package before 6.8.0.105+dfsg-3.3 for Debian allows arbitrary code execution because the application/x-ms-dos-executable MIME type is associated with an un-sandboxed Mono CLR interpreter. | |||||
| CVE-2023-24108 | 1 Zetacomponenets | 1 Mvctools | 2023-03-02 | N/A | 9.8 CRITICAL |
| MvcTools 6d48cd6830fc1df1d8c9d61caa1805fd6a1b7737 was discovered to contain a code execution backdoor via the request package (requirements.txt). This vulnerability allows attackers to access sensitive user information and execute arbitrary code. | |||||
| CVE-2023-24107 | 1 Hour Of Code Python 2015 Project | 1 Hour Of Code Python 2015 | 2023-03-02 | N/A | 9.8 CRITICAL |
| hour_of_code_python_2015 commit 520929797b9ca43bb818b2e8f963fb2025459fa3 was discovered to contain a code execution backdoor via the request package (requirements.txt). This vulnerability allows attackers to access sensitive user information and execute arbitrary code. | |||||
| CVE-2023-0947 | 1 Flatpress | 1 Flatpress | 2023-03-02 | N/A | 9.8 CRITICAL |
| Path Traversal in GitHub repository flatpressblog/flatpress prior to 1.3. | |||||
| CVE-2022-44216 | 1 Sir | 1 Gnuboard | 2023-03-02 | N/A | 7.5 HIGH |
| Gnuboard 5.5.4 and 5.5.5 is vulnerable to Insecure Permissions. An attacker can change password of all users without knowing victim's original password. | |||||
| CVE-2021-32851 | 1 Mind-elixir Project | 1 Mind-elixir | 2023-03-02 | N/A | 6.1 MEDIUM |
| Mind-elixir is a free, open source mind map core. Prior to version 0.18.1, mind-elixir is prone to cross-site scripting when handling untrusted menus. This issue is patched in version 0.18.1 | |||||
| CVE-2021-32850 | 1 Jquery-minicolors Project | 1 Jquery-minicolors | 2023-03-02 | N/A | 6.1 MEDIUM |
| jQuery MiniColors is a color picker built on jQuery. Prior to version 2.3.6, jQuery MiniColors is prone to cross-site scripting when handling untrusted color names. This issue is patched in version 2.3.6. | |||||
| CVE-2023-0980 | 1 Yoga Class Registration System Project | 1 Yoga Class Registration System | 2023-03-02 | N/A | 9.8 CRITICAL |
| A vulnerability was found in SourceCodester Yoga Class Registration System 1.0 and classified as critical. This issue affects some unknown processing of the file admin/registrations/update_status.php of the component Status Update Handler. The manipulation of the argument id leads to sql injection. The attack may be initiated remotely. The associated identifier of this vulnerability is VDB-221675. | |||||
| CVE-2023-0982 | 1 Yoga Class Registration System Project | 1 Yoga Class Registration System | 2023-03-02 | N/A | 9.8 CRITICAL |
| A vulnerability was found in SourceCodester Yoga Class Registration System 1.0. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the component Add Class Entry. The manipulation of the argument id leads to sql injection. The attack can be launched remotely. The identifier VDB-221677 was assigned to this vulnerability. | |||||
| CVE-2023-0981 | 1 Yoga Class Registration System Project | 1 Yoga Class Registration System | 2023-03-02 | N/A | 9.8 CRITICAL |
| A vulnerability was found in SourceCodester Yoga Class Registration System 1.0. It has been classified as critical. Affected is an unknown function of the component Delete User. The manipulation of the argument id leads to sql injection. It is possible to launch the attack remotely. The identifier of this vulnerability is VDB-221676. | |||||
| CVE-2023-23659 | 1 Mainwp | 1 Motomo | 2023-03-02 | N/A | 8.8 HIGH |
| Cross-Site Request Forgery (CSRF) vulnerability in MainWP Matomo Extension <= 4.0.4 versions. | |||||
| CVE-2023-24384 | 1 Wpdevart | 1 Organization Chart | 2023-03-02 | N/A | 8.8 HIGH |
| Cross-Site Request Forgery (CSRF) vulnerability in WpDevArt Organization chart <= 1.4.4 versions. | |||||