Total
210374 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-22809 | 3 Debian, Fedoraproject, Sudo Project | 3 Debian Linux, Fedora, Sudo | 2023-02-04 | N/A | 7.8 HIGH |
| In Sudo before 1.9.12p2, the sudoedit (aka -e) feature mishandles extra arguments passed in the user-provided environment variables (SUDO_EDITOR, VISUAL, and EDITOR), allowing a local attacker to append arbitrary entries to the list of files to process. This can lead to privilege escalation. Affected versions are 1.8.0 through 1.9.12.p1. The problem exists because a user-specified editor may contain a "--" argument that defeats a protection mechanism, e.g., an EDITOR='vim -- /path/to/extra/file' value. | |||||
| CVE-2023-24022 | 1 Baicells | 5 Nova227, Nova233, Nova243 and 2 more | 2023-02-03 | N/A | 9.8 CRITICAL |
| Baicells Nova 227, Nova 233, and Nova 243 LTE TDD eNodeB devices with firmware through RTS/RTD 3.7.11.3 have hardcoded credentials that are easily discovered and can be used by remote attackers to authenticate via ssh. (The credentials are stored in the firmware, encrypted by the crypt function.) | |||||
| CVE-2023-24427 | 1 Jenkins | 1 Bitbucket Oauth | 2023-02-03 | N/A | 9.8 CRITICAL |
| Jenkins Bitbucket OAuth Plugin 0.12 and earlier does not invalidate the previous session on login. | |||||
| CVE-2023-24422 | 1 Jenkins | 1 Script Security | 2023-02-03 | N/A | 8.8 HIGH |
| A sandbox bypass vulnerability involving map constructors in Jenkins Script Security Plugin 1228.vd93135a_2fb_25 and earlier allows attackers with permission to define and run sandboxed scripts, including Pipelines, to bypass the sandbox protection and execute arbitrary code in the context of the Jenkins controller JVM. | |||||
| CVE-2022-48071 | 1 Phicomm | 2 K2, K2 Firmware | 2023-02-03 | N/A | 7.5 HIGH |
| Phicomm K2 v22.6.534.263 was discovered to store the root and admin passwords in plaintext. | |||||
| CVE-2022-48070 | 1 Phicomm | 2 K2, K2 Firmware | 2023-02-03 | N/A | 7.8 HIGH |
| Phicomm K2 v22.6.534.263 was discovered to contain a command injection vulnerability via the autoUpTime parameter in the automatic upgrade function. | |||||
| CVE-2023-24440 | 1 Jenkins | 1 Jira Pipeline Steps | 2023-02-03 | N/A | 5.5 MEDIUM |
| Jenkins JIRA Pipeline Steps Plugin 2.0.165.v8846cf59f3db and earlier transmits the private key in plain text as part of the global Jenkins configuration form, potentially resulting in their exposure. | |||||
| CVE-2023-24439 | 1 Jenkins | 1 Jira Pipeline Steps | 2023-02-03 | N/A | 5.5 MEDIUM |
| Jenkins JIRA Pipeline Steps Plugin 2.0.165.v8846cf59f3db and earlier stores the private keys unencrypted in its global configuration file on the Jenkins controller where it can be viewed by users with access to the Jenkins controller file system. | |||||
| CVE-2023-24438 | 1 Jenkins | 1 Jira Pipeline Steps | 2023-02-03 | N/A | 6.5 MEDIUM |
| A missing permission check in Jenkins JIRA Pipeline Steps Plugin 2.0.165.v8846cf59f3db and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. | |||||
| CVE-2023-24429 | 1 Jenkins | 1 Semantic Versioning | 2023-02-03 | N/A | 9.8 CRITICAL |
| Jenkins Semantic Versioning Plugin 1.14 and earlier does not restrict execution of an controller/agent message to agents, and implements no limitations about the file path that can be parsed, allowing attackers able to control agent processes to have Jenkins parse a crafted file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery. | |||||
| CVE-2023-24428 | 1 Jenkins | 1 Bitbucket Oauth | 2023-02-03 | N/A | 5.7 MEDIUM |
| A cross-site request forgery (CSRF) vulnerability in Jenkins Bitbucket OAuth Plugin 0.12 and earlier allows attackers to trick users into logging in to the attacker's account. | |||||
| CVE-2022-48072 | 1 Phicomm | 2 K2, K2 Firmware | 2023-02-03 | N/A | 7.8 HIGH |
| Phicomm K2G v22.6.3.20 was discovered to contain a command injection vulnerability via the autoUpTime parameter in the automatic upgrade function. | |||||
| CVE-2022-48010 | 1 Limesurvey | 1 Limesurvey | 2023-02-03 | N/A | 5.4 MEDIUM |
| LimeSurvey v5.4.15 was discovered to contain a stored cross-site scripting (XSS) vulnerability in the component /index.php/surveyAdministration/rendersidemenulink?subaction=surveytexts. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Description or Welcome-message text fields. | |||||
| CVE-2023-24430 | 1 Jenkins | 1 Semantic Versioning | 2023-02-03 | N/A | 9.8 CRITICAL |
| Jenkins Semantic Versioning Plugin 1.14 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. | |||||
| CVE-2023-0563 | 1 Bank Locker Management System Project | 1 Bank Locker Management System | 2023-02-03 | N/A | 4.8 MEDIUM |
| A vulnerability classified as problematic has been found in PHPGurukul Bank Locker Management System 1.0. This affects an unknown part of the file add-locker-form.php of the component Assign Locker. The manipulation of the argument ahname leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-219717 was assigned to this vulnerability. | |||||
| CVE-2022-48008 | 1 Limesurvey | 1 Limesurvey | 2023-02-03 | N/A | 9.8 CRITICAL |
| An arbitrary file upload vulnerability in the plugin manager of LimeSurvey v5.4.15 allows attackers to execute arbitrary code via a crafted PHP file. | |||||
| CVE-2022-48073 | 1 Phicomm | 2 K2, K2 Firmware | 2023-02-03 | N/A | 7.5 HIGH |
| Phicomm K2 v22.6.534.263 was discovered to store the root and admin passwords in plaintext. | |||||
| CVE-2023-0533 | 1 Online Tours \& Travels Management System Project | 1 Online Tours \& Travels Management System | 2023-02-03 | N/A | 4.7 MEDIUM |
| A vulnerability, which was classified as critical, has been found in SourceCodester Online Tours & Travels Management System 1.0. Affected by this issue is some unknown functionality of the file admin/expense_report.php. The manipulation of the argument from_date leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-219602 is the identifier assigned to this vulnerability. | |||||
| CVE-2022-48007 | 1 Piwigo | 1 Piwigo | 2023-02-03 | N/A | 5.4 MEDIUM |
| A stored cross-site scripting (XSS) vulnerability in identification.php of Piwigo v13.4.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the User-Agent. | |||||
| CVE-2023-0534 | 1 Online Tours \& Travels Management System Project | 1 Online Tours \& Travels Management System | 2023-02-03 | N/A | 4.7 MEDIUM |
| A vulnerability, which was classified as critical, was found in SourceCodester Online Tours & Travels Management System 1.0. This affects an unknown part of the file admin/expense_report.php. The manipulation of the argument to_date leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-219603. | |||||