Total
210374 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-1766 | 2 Debian, Otrs | 2 Debian Linux, Otrs | 2023-01-27 | 4.3 MEDIUM | 6.1 MEDIUM |
| Due to improper handling of uploaded images it is possible in very unlikely and rare conditions to force the agents browser to execute malicious javascript from a special crafted SVG file rendered as inline jpg file. This issue affects: ((OTRS)) Community Edition 5.0.x version 5.0.39 and prior versions; 6.0.x version 6.0.24 and prior versions. OTRS 7.0.x version 7.0.13 and prior versions. | |||||
| CVE-2011-10001 | 1 Phoenixcf Project | 1 Phoenixcf | 2023-01-27 | N/A | 9.8 CRITICAL |
| A vulnerability was found in iamdroppy phoenixcf. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file content/2-Community/articles.cfm. The manipulation leads to sql injection. The name of the patch is d156faf8bc36cd49c3b10d3697ef14167ad451d8. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-218491. | |||||
| CVE-2022-43704 | 1 Sinilink | 2 Xy-wft1, Xy-wft1 Firmware | 2023-01-27 | N/A | 5.9 MEDIUM |
| The Sinilink XY-WFT1 WiFi Remote Thermostat, running firmware 1.3.6, allows an attacker to bypass the intended requirement to communicate using MQTT. It is possible to replay Sinilink aka SINILINK521 protocol (udp/1024) commands interfacing directly with the target device. This, in turn, allows for an attack to control the onboard relay without requiring authentication via the mobile application. This might result in an unacceptable temperature within the target device's physical environment. | |||||
| CVE-2023-22964 | 1 Zohocorp | 1 Manageengine Servicedesk Plus Msp | 2023-01-27 | N/A | 9.1 CRITICAL |
| Zoho ManageEngine ServiceDesk Plus MSP before 10611, and 13x before 13004, is vulnerable to authentication bypass when LDAP authentication is enabled. | |||||
| CVE-2020-23256 | 1 Electerm Project | 1 Electerm | 2023-01-27 | N/A | 9.8 CRITICAL |
| An issue was discovered in Electerm 1.3.22, allows attackers to execute arbitrary code via unverified request to electerms service. | |||||
| CVE-2022-38110 | 1 Solarwinds | 1 Database Performance Analyzer | 2023-01-27 | N/A | 5.4 MEDIUM |
| In Database Performance Analyzer (DPA) 2022.4 and older releases, certain URL vectors are susceptible to authenticated reflected cross-site scripting. | |||||
| CVE-2023-0406 | 1 Modoboa | 1 Modoboa | 2023-01-27 | N/A | 4.3 MEDIUM |
| Cross-Site Request Forgery (CSRF) in GitHub repository modoboa/modoboa prior to 2.0.4. | |||||
| CVE-2020-11054 | 2 Fedoraproject, Qutebrowser | 2 Fedora, Qutebrowser | 2023-01-27 | 4.3 MEDIUM | 3.5 LOW |
| In qutebrowser versions less than 1.11.1, reloading a page with certificate errors shows a green URL. After a certificate error was overridden by the user, qutebrowser displays the URL as yellow (colors.statusbar.url.warn.fg). However, when the affected website was subsequently loaded again, the URL was mistakenly displayed as green (colors.statusbar.url.success_https). While the user already has seen a certificate error prompt at this point (or set content.ssl_strict to false, which is not recommended), this could still provide a false sense of security. This has been fixed in 1.11.1 and 1.12.0. All versions of qutebrowser are believed to be affected, though versions before v0.11.x couldn't be tested. Backported patches for older versions (greater than or equal to 1.4.0 and less than or equal to 1.10.2) are available, but no further releases are planned. | |||||
| CVE-2022-47197 | 1 Ghost | 1 Ghost | 2023-01-27 | N/A | 5.4 MEDIUM |
| An insecure default vulnerability exists in the Post Creation functionality of Ghost Foundation Ghost 5.9.4. Default installations of Ghost allow non-administrator users to inject arbitrary Javascript in posts, which allow privilege escalation to administrator via XSS. To trigger this vulnerability, an attacker can send an HTTP request to inject Javascript in a post to trick an administrator into visiting the post.A stored XSS vulnerability exists in the `codeinjection_foot` for a post. | |||||
| CVE-2023-23492 | 1 Login With Phone Number Project | 1 Login With Phone Number | 2023-01-27 | N/A | 8.8 HIGH |
| The Login with Phone Number WordPress Plugin, version < 1.4.2, is affected by an authenticated SQL injection vulnerability in the 'ID' parameter of its 'lwp_forgot_password' action. | |||||
| CVE-2022-47195 | 1 Ghost | 1 Ghost | 2023-01-27 | N/A | 5.4 MEDIUM |
| An insecure default vulnerability exists in the Post Creation functionality of Ghost Foundation Ghost 5.9.4. Default installations of Ghost allow non-administrator users to inject arbitrary Javascript in posts, which allow privilege escalation to administrator via XSS. To trigger this vulnerability, an attacker can send an HTTP request to inject Javascript in a post to trick an administrator into visiting the post.A stored XSS vulnerability exists in the `facebook` field for a user. | |||||
| CVE-2022-47194 | 1 Ghost | 1 Ghost | 2023-01-27 | N/A | 5.4 MEDIUM |
| An insecure default vulnerability exists in the Post Creation functionality of Ghost Foundation Ghost 5.9.4. Default installations of Ghost allow non-administrator users to inject arbitrary Javascript in posts, which allow privilege escalation to administrator via XSS. To trigger this vulnerability, an attacker can send an HTTP request to inject Javascript in a post to trick an administrator into visiting the post.A stored XSS vulnerability exists in the `twitter` field for a user. | |||||
| CVE-2023-0398 | 1 Modoboa | 1 Modoboa | 2023-01-27 | N/A | 6.5 MEDIUM |
| Cross-Site Request Forgery (CSRF) in GitHub repository modoboa/modoboa prior to 2.0.4. | |||||
| CVE-2021-37499 | 1 Reprisesoftware | 1 Reprise License Manager | 2023-01-27 | N/A | 6.5 MEDIUM |
| CRLF vulnerability in Reprise License Manager (RLM) web interface through 14.2BL4 in the password parameter in View License Result function, that allows remote attackers to inject arbitrary HTTP headers. | |||||
| CVE-2023-24028 | 1 Misp-project | 1 Misp | 2023-01-27 | N/A | 9.8 CRITICAL |
| In MISP 2.4.167, app/Controller/Component/ACLComponent.php has incorrect access control for the decaying import function. | |||||
| CVE-2021-37498 | 1 Reprisesoftware | 1 Reprise License Manager | 2023-01-27 | N/A | 6.5 MEDIUM |
| An SSRF issue was discovered in Reprise License Manager (RLM) web interface through 14.2BL4 that allows remote attackers to trigger outbound requests to intranet servers, conduct port scans via the actserver parameter in License Activation function. | |||||
| CVE-2022-42053 | 1 Tenda | 2 Ac1200 V-w15ev2, W15e Firmware | 2023-01-27 | N/A | 7.8 HIGH |
| Tenda AC1200 Router Model W15Ev2 V15.11.0.10(1576) was discovered to contain a command injection vulnerability via the PortMappingServer parameter in the setPortMapping function. | |||||
| CVE-2022-40846 | 1 Tenda | 2 Ac1200 V-w15ev2, W15e Firmware | 2023-01-27 | N/A | 4.8 MEDIUM |
| In Tenda AC1200 Router model W15Ev2 V15.11.0.10(1576), a Stored Cross Site Scripting (XSS) vulnerability exists allowing an attacker to execute JavaScript code via the applications stored hostname. | |||||
| CVE-2022-40844 | 1 Tenda | 2 Ac1200 V-w15ev2, W15e Firmware | 2023-01-27 | N/A | 5.4 MEDIUM |
| In Tenda (Shenzhen Tenda Technology Co., Ltd) AC1200 Router model W15Ev2 V15.11.0.10(1576), a Stored Cross Site Scripting (XSS) issue exists allowing an attacker to execute JavaScript code via the applications website filtering tab, specifically the URL body. | |||||
| CVE-2022-40847 | 1 Tenda | 2 Ac1200 V-w15ev2, W15e Firmware | 2023-01-27 | N/A | 7.8 HIGH |
| In Tenda AC1200 Router model W15Ev2 V15.11.0.10(1576), there exists a command injection vulnerability in the function formSetFixTools. This vulnerability allows attackers to run arbitrary commands on the server via the hostname parameter. | |||||