Total
210374 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-36424 | 1 Phpwcms | 1 Phpwcms | 2023-02-09 | N/A | 9.8 CRITICAL |
| An issue discovered in phpwcms 1.9.25 allows remote attackers to run arbitrary code via DB user field during installation. | |||||
| CVE-2023-24202 | 1 Raffle Draw System Project | 1 Raffle Draw System | 2023-02-09 | N/A | 9.8 CRITICAL |
| Raffle Draw System v1.0 was discovered to contain a local file inclusion vulnerability via the page parameter in index.php. | |||||
| CVE-2023-24195 | 1 Online Food Ordering System Project | 1 Online Food Ordering System | 2023-02-09 | N/A | 6.1 MEDIUM |
| Online Food Ordering System v2 was discovered to contain a cross-site scripting (XSS) vulnerability via the page parameter in index.php. | |||||
| CVE-2023-24194 | 1 Online Food Ordering System Project | 1 Online Food Ordering System | 2023-02-09 | N/A | 6.1 MEDIUM |
| Online Food Ordering System v2 was discovered to contain a cross-site scripting (XSS) vulnerability via the page parameter in navbar.php. | |||||
| CVE-2021-36425 | 1 Phpwcms | 1 Phpwcms | 2023-02-09 | N/A | 5.4 MEDIUM |
| Directory traversal vulnerability in phpcms 1.9.25 allows remote attackers to delete arbitrary files via unfiltered $file parameter to unlink method in include/inc_act/act_ftptakeover.php file. | |||||
| CVE-2023-24201 | 1 Raffle Draw System Project | 1 Raffle Draw System | 2023-02-09 | N/A | 9.8 CRITICAL |
| Raffle Draw System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at get_ticket.php. | |||||
| CVE-2023-24200 | 1 Raffle Draw System Project | 1 Raffle Draw System | 2023-02-09 | N/A | 9.8 CRITICAL |
| Raffle Draw System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at save_ticket.php. | |||||
| CVE-2023-24199 | 1 Raffle Draw System Project | 1 Raffle Draw System | 2023-02-09 | N/A | 9.8 CRITICAL |
| Raffle Draw System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at delete_ticket.php. | |||||
| CVE-2023-24192 | 1 Online Food Ordering System Project | 1 Online Food Ordering System | 2023-02-09 | N/A | 6.1 MEDIUM |
| Online Food Ordering System v2 was discovered to contain a cross-site scripting (XSS) vulnerability via the redirect parameter in login.php. | |||||
| CVE-2023-24191 | 1 Online Food Ordering System Project | 1 Online Food Ordering System | 2023-02-09 | N/A | 6.1 MEDIUM |
| Online Food Ordering System v2 was discovered to contain a cross-site scripting (XSS) vulnerability via the redirect parameter in signup.php. | |||||
| CVE-2022-47021 | 2 Fedoraproject, Xiph | 2 Fedora, Opusfile | 2023-02-09 | N/A | 7.8 HIGH |
| A null pointer dereference issue was discovered in functions op_get_data and op_open1 in opusfile.c in xiph opusfile 0.9 thru 0.12 allows attackers to cause denial of service or other unspecified impacts. | |||||
| CVE-2019-18928 | 3 Cyrus, Debian, Fedoraproject | 3 Imap, Debian Linux, Fedora | 2023-02-09 | 7.5 HIGH | 9.8 CRITICAL |
| Cyrus IMAP 2.5.x before 2.5.14 and 3.x before 3.0.12 allows privilege escalation because an HTTP request may be interpreted in the authentication context of an unrelated previous request that arrived over the same connection. | |||||
| CVE-2018-11770 | 1 Apache | 1 Spark | 2023-02-09 | 4.9 MEDIUM | 4.2 MEDIUM |
| From version 1.3.0 onward, Apache Spark's standalone master exposes a REST API for job submission, in addition to the submission mechanism used by spark-submit. In standalone, the config property 'spark.authenticate.secret' establishes a shared secret for authenticating requests to submit jobs via spark-submit. However, the REST API does not use this or any other authentication mechanism, and this is not adequately documented. In this case, a user would be able to run a driver program without authenticating, but not launch executors, using the REST API. This REST API is also used by Mesos, when set up to run in cluster mode (i.e., when also running MesosClusterDispatcher), for job submission. Future versions of Spark will improve documentation on these points, and prohibit setting 'spark.authenticate.secret' when running the REST APIs, to make this clear. Future versions will also disable the REST API by default in the standalone master by changing the default value of 'spark.master.rest.enabled' to 'false'. | |||||
| CVE-2022-21663 | 3 Debian, Fedoraproject, Wordpress | 3 Debian Linux, Fedora, Wordpress | 2023-02-09 | 6.5 MEDIUM | 7.2 HIGH |
| WordPress is a free and open-source content management system written in PHP and paired with a MariaDB database. On a multisite, users with Super Admin role can bypass explicit/additional hardening under certain conditions through object injection. This has been patched in WordPress version 5.8.3. Older affected versions are also fixed via security release, that go back till 3.7.37. We strongly recommend that you keep auto-updates enabled. There are no known workarounds for this issue. | |||||
| CVE-2022-25293 | 1 Watchguard | 1 Fireware | 2023-02-09 | 6.5 MEDIUM | 8.8 HIGH |
| A systemd stack-based buffer overflow in WatchGuard Firebox and XTM appliances allows an authenticated remote attacker to potentially execute arbitrary code by initiating a firmware update with a malicious upgrade image. This vulnerability impacts Fireware OS before 12.7.2_U2, 12.x before 12.1.3_U8, and 12.2.x through 12.5.x before 12.5.9_U2. | |||||
| CVE-2020-28884 | 1 Liferay | 1 Liferay Portal | 2023-02-09 | 9.0 HIGH | 7.2 HIGH |
| ** DISPUTED ** Liferay Portal Server tested on 7.3.5 GA6, 7.2.0 GA1 is affected by OS Command Injection. An administrator user can inject Groovy script to execute any OS command on the Liferay Portal Sever. NOTE: The developer disputes this as a vulnerability since it is a feature for administrators to run groovy scripts and therefore not a design flaw. | |||||
| CVE-2021-42581 | 1 Ramdajs | 1 Ramda | 2023-02-09 | 6.4 MEDIUM | 9.1 CRITICAL |
| ** DISPUTED ** Prototype poisoning in function mapObjIndexed in Ramda 0.27.0 and earlier allows attackers to compromise integrity or availability of application via supplying a crafted object (that contains an own property "__proto__") as an argument to the function. NOTE: the vendor disputes this because the observed behavior only means that a user can create objects that the user didn't know would contain custom prototypes. | |||||
| CVE-2022-25514 | 1 Nothings | 1 Stb Truetype.h | 2023-02-09 | 5.0 MEDIUM | 7.5 HIGH |
| ** DISPUTED ** stb_truetype.h v1.26 was discovered to contain a heap-buffer-overflow via the function ttUSHORT() at stb_truetype.h. NOTE: Third party has disputed stating that the source code has also a disclaimer that it should only be used with trusted input. | |||||
| CVE-2022-24198 | 1 Itextpdf | 1 Itext | 2023-02-09 | 4.3 MEDIUM | 6.5 MEDIUM |
| ** DISPUTED ** iText v7.1.17 was discovered to contain an out-of-bounds exception via the component ARCFOUREncryption.encryptARCFOUR, which allows attackers to cause a Denial of Service (DoS) via a crafted PDF file. NOTE: Vendor does not view this as a vulnerability and has not found it to be exploitable. | |||||
| CVE-2021-0983 | 1 Google | 1 Android | 2023-02-09 | 2.1 LOW | 3.3 LOW |
| In createAdminSupportIntent of DevicePolicyManagerService.java, there is a possible disclosure of information about installed device/profile owner package name due to side channel information disclosure. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-12LAndroid ID: A-192245204 | |||||