Total
210374 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-0090 | 1 Proofpoint | 1 Enterprise Protection | 2023-03-15 | N/A | 9.8 CRITICAL |
| The webservices in Proofpoint Enterprise Protection (PPS/POD) contain a vulnerability that allows for an anonymous user to execute remote code through 'eval injection'. Exploitation requires network access to the webservices API, but such access is a non-standard configuration. This affects all versions 8.20.0 and below. | |||||
| CVE-2023-0845 | 1 Hashicorp | 1 Consul | 2023-03-15 | N/A | 6.5 MEDIUM |
| Consul and Consul Enterprise allowed an authenticated user with service:write permissions to trigger a workflow that causes Consul server and client agents to crash under certain circumstances. This vulnerability was fixed in Consul 1.14.5. | |||||
| CVE-2023-0746 | 1 Gigamon | 1 Gigavue-os | 2023-03-15 | N/A | 6.1 MEDIUM |
| The help page in GigaVUE-FM, when using GigaVUE-OS software version 5.0 202, does not require an authenticated user. An attacker could enforce a user into inserting malicious JavaScript code into the URI, that could lead to a Reflected Cross site Scripting. | |||||
| CVE-2023-26261 | 1 Ubikasec | 2 Waap Cloud, Waap Gateway | 2023-03-15 | N/A | 9.8 CRITICAL |
| In UBIKA WAAP Gateway/Cloud through 6.10, a blind XPath injection leads to an authentication bypass by stealing the session of another connected user. The fixed versions are WAAP Gateway & Cloud 6.11.0 and 6.5.6-patch15. | |||||
| CVE-2023-20104 | 1 Cisco | 1 Webex Teams | 2023-03-15 | N/A | 6.1 MEDIUM |
| A vulnerability in the file upload functionality of Cisco Webex App for Web could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface. This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by sending an arbitrary file to a user and persuading that user to browse to a specific URL. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. | |||||
| CVE-2023-1291 | 1 Sales Tracker Management System Project | 1 Sales Tracker Management System | 2023-03-15 | N/A | 9.8 CRITICAL |
| A vulnerability, which was classified as critical, was found in SourceCodester Sales Tracker Management System 1.0. This affects an unknown part of the file admin/clients/manage_client.php. The manipulation of the argument id leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-222645 was assigned to this vulnerability. | |||||
| CVE-2023-1292 | 1 Sales Tracker Management System Project | 1 Sales Tracker Management System | 2023-03-15 | N/A | 9.8 CRITICAL |
| A vulnerability has been found in SourceCodester Sales Tracker Management System 1.0 and classified as critical. This vulnerability affects the function delete_client of the file classes/Master.php. The manipulation of the argument id leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-222646 is the identifier assigned to this vulnerability. | |||||
| CVE-2023-1294 | 1 File Tracker Manager System Project | 1 File Tracker Management System | 2023-03-15 | N/A | 9.8 CRITICAL |
| A vulnerability was found in SourceCodester File Tracker Manager System 1.0. It has been classified as critical. Affected is an unknown function of the file /file_manager/login.php of the component POST Parameter Handler. The manipulation of the argument username leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-222648. | |||||
| CVE-2023-1286 | 1 Pimcore | 1 Pimcore | 2023-03-15 | N/A | 4.8 MEDIUM |
| Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore prior to 10.5.19. | |||||
| CVE-2023-0089 | 1 Proofpoint | 1 Enterprise Protection | 2023-03-15 | N/A | 8.8 HIGH |
| The webutils in Proofpoint Enterprise Protection (PPS/POD) contain a vulnerability that allows an authenticated user to execute remote code through 'eval injection'. This affects all versions 8.20.0 and below. | |||||
| CVE-2023-27476 | 1 Osgeo | 1 Owslib | 2023-03-15 | N/A | 7.5 HIGH |
| OWSLib is a Python package for client programming with Open Geospatial Consortium (OGC) web service interface standards, and their related content models. OWSLib's XML parser (which supports both `lxml` and `xml.etree`) does not disable entity resolution, and could lead to arbitrary file reads from an attacker-controlled XML payload. This affects all XML parsing in the codebase. This issue has been addressed in version 0.28.1. All users are advised to upgrade. The only known workaround is to patch the library manually. See `GHSA-8h9c-r582-mggc` for details. | |||||
| CVE-2023-22462 | 1 Grafana | 1 Grafana | 2023-03-15 | N/A | 5.4 MEDIUM |
| Grafana is an open-source platform for monitoring and observability. On 2023-01-01 during an internal audit of Grafana, a member of the security team found a stored XSS vulnerability affecting the core plugin "Text". The stored XSS vulnerability requires several user interactions in order to be fully exploited. The vulnerability was possible due to React's render cycle that will pass though the unsanitized HTML code, but in the next cycle the HTML is cleaned up and saved in Grafana's database. An attacker needs to have the Editor role in order to change a Text panel to include JavaScript. Another user needs to edit the same Text panel, and click on "Markdown" or "HTML" for the code to be executed. This means that vertical privilege escalation is possible, where a user with Editor role can change to a known password for a user having Admin role if the user with Admin role executes malicious JavaScript viewing a dashboard. This issue has been patched in versions 9.2.10 and 9.3.4. | |||||
| CVE-2022-44644 | 1 Apache | 1 Linkis | 2023-03-15 | N/A | 6.5 MEDIUM |
| In Apache Linkis <=1.3.0 when used with the MySQL Connector/J in the data source module, an authenticated attacker could read arbitrary local files by connecting a rogue MySQL server, By adding allowLoadLocalInfile to true in the JDBC parameter. Therefore, the parameters in the JDBC URL should be blacklisted. Versions of Apache Linkis <= 1.3.0 will be affected. We recommend users upgrade the version of Linkis to version 1.3.1 | |||||
| CVE-2023-1339 | 1 Rapidload | 1 Power-up For Autoptimize | 2023-03-14 | N/A | 4.3 MEDIUM |
| The RapidLoad Power-Up for Autoptimize plugin for WordPress is vulnerable to unauthorized settings update due to a missing capability check on the uucss_update_rule function in versions up to, and including, 1.7.1. This makes it possible for authenticated attackers with subscriber-level access to update caching rules. | |||||
| CVE-2023-1338 | 1 Rapidload | 1 Power-up For Autoptimize | 2023-03-14 | N/A | 4.3 MEDIUM |
| The RapidLoad Power-Up for Autoptimize plugin for WordPress is vulnerable to unauthorized cache modification due to a missing capability check on the attach_rule function in versions up to, and including, 1.7.1. This makes it possible for authenticated attackers with subscriber-level access to modify cache rules. | |||||
| CVE-2023-1337 | 1 Rapidload | 1 Power-up For Autoptimize | 2023-03-14 | N/A | 4.3 MEDIUM |
| The RapidLoad Power-Up for Autoptimize plugin for WordPress is vulnerable to unauthorized data loss due to a missing capability check on the clear_uucss_logs function in versions up to, and including, 1.7.1. This makes it possible for authenticated attackers with subscriber-level access to delete plugin log files. | |||||
| CVE-2023-1336 | 1 Rapidload | 1 Power-up For Autoptimize | 2023-03-14 | N/A | 4.3 MEDIUM |
| The RapidLoad Power-Up for Autoptimize plugin for WordPress is vulnerable to unauthorized settings update due to a missing capability check on the ajax_deactivate function in versions up to, and including, 1.7.1. This makes it possible for authenticated attackers with subscriber-level access to disable caching. | |||||
| CVE-2023-1335 | 1 Rapidload | 1 Power-up For Autoptimize | 2023-03-14 | N/A | 4.3 MEDIUM |
| The RapidLoad Power-Up for Autoptimize plugin for WordPress is vulnerable to unauthorized plugin settings update due to a missing capability check on the ucss_connect function in versions up to, and including, 1.7.1. This makes it possible for authenticated attackers with subscriber-level access to connect a new license key to the site. | |||||
| CVE-2023-1334 | 1 Rapidload | 1 Power-up For Autoptimize | 2023-03-14 | N/A | 4.3 MEDIUM |
| The RapidLoad Power-Up for Autoptimize plugin for WordPress is vulnerable to unauthorized cache modification due to a missing capability check on the queue_posts function in versions up to, and including, 1.7.1. This makes it possible for authenticated attackers with subscriber-level access to modify the plugin's cache. | |||||
| CVE-2023-1333 | 1 Rapidload | 1 Power-up For Autoptimize | 2023-03-14 | N/A | 4.3 MEDIUM |
| The RapidLoad Power-Up for Autoptimize plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the clear_page_cache function in versions up to, and including, 1.7.1. This makes it possible for authenticated attackers with subscriber-level access to delete the plugin's cache. | |||||