Export limit exceeded: 342084 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (2927 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-3765 | 2 Lfprojects, Microsoft | 2 Mlflow, Windows | 2024-11-21 | 10.0 Critical |
| Absolute Path Traversal in GitHub repository mlflow/mlflow prior to 2.5.0. | ||||
| CVE-2023-3578 | 1 Dedecms | 1 Dedecms | 2024-11-21 | 5.5 Medium |
| A vulnerability classified as critical was found in DedeCMS 5.7.109. Affected by this vulnerability is an unknown functionality of the file co_do.php. The manipulation of the argument rssurl leads to server-side request forgery. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-233371. | ||||
| CVE-2023-3452 | 1 Canto | 1 Canto | 2024-11-21 | 9.8 Critical |
| The Canto plugin for WordPress is vulnerable to Remote File Inclusion in versions up to, and including, 3.0.4 via the 'wp_abspath' parameter. This allows unauthenticated attackers to include and execute arbitrary remote code on the server, provided that allow_url_include is enabled. Local File Inclusion is also possible, albeit less useful because it requires that the attacker be able to upload a malicious php file via FTP or some other means into a directory readable by the web server. | ||||
| CVE-2023-3380 | 1 Wavlink | 2 Wn579x3, Wn579x3 Firmware | 2024-11-21 | 4.7 Medium |
| A vulnerability classified as critical has been found in Wavlink WN579X3 up to 20230615. Affected is an unknown function of the file /cgi-bin/adm.cgi of the component Ping Test. The manipulation of the argument pingIp leads to injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-232236. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2023-39141 | 1 Ziahamza | 1 Webui-aria2 | 2024-11-21 | 7.5 High |
| webui-aria2 commit 4fe2e was discovered to contain a path traversal vulnerability. | ||||
| CVE-2023-39026 | 2 Filemage, Microsoft | 2 Filemage, Windows | 2024-11-21 | 7.5 High |
| Directory Traversal vulnerability in FileMage Gateway Windows Deployments v.1.10.8 and before allows a remote attacker to obtain sensitive information via a crafted request to the /mgmt/ component. | ||||
| CVE-2023-38836 | 1 Boidcms | 1 Boidcms | 2024-11-21 | 8.8 High |
| File Upload vulnerability in BoidCMS v.2.0.0 allows a remote attacker to execute arbitrary code by adding a GIF header to bypass MIME type checks. | ||||
| CVE-2023-38646 | 1 Metabase | 1 Metabase | 2024-11-21 | 9.8 Critical |
| Metabase open source before 0.46.6.1 and Metabase Enterprise before 1.46.6.1 allow attackers to execute arbitrary commands on the server, at the server's privilege level. Authentication is not required for exploitation. The other fixed versions are 0.45.4.1, 1.45.4.1, 0.44.7.1, 1.44.7.1, 0.43.7.2, and 1.43.7.2. | ||||
| CVE-2023-37679 | 1 Nextgen | 1 Mirth Connect | 2024-11-21 | 9.8 Critical |
| A remote command execution (RCE) vulnerability in NextGen Mirth Connect v4.3.0 allows attackers to execute arbitrary commands on the hosting server. | ||||
| CVE-2023-37629 | 1 Simple Online Piggery Management System Project | 1 Simple Online Piggery Management System | 2024-11-21 | 9.8 Critical |
| Online Piggery Management System 1.0 is vulnerable to File Upload. An unauthenticated user can upload a php file by sending a POST request to "add-pig.php." | ||||
| CVE-2023-37599 | 1 Issabel | 1 Pbx | 2024-11-21 | 7.5 High |
| An issue in issabel-pbx v.4.0.0-6 allows a remote attacker to obtain sensitive information via the modules directory | ||||
| CVE-2023-37462 | 1 Xwiki | 1 Xwiki | 2024-11-21 | 10 Critical |
| XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Improper escaping in the document `SkinsCode.XWikiSkinsSheet` leads to an injection vector from view right on that document to programming rights, or in other words, it is possible to execute arbitrary script macros including Groovy and Python macros that allow remote code execution including unrestricted read and write access to all wiki contents. The attack works by opening a non-existing page with a name crafted to contain a dangerous payload. It is possible to check if an existing installation is vulnerable. See the linked GHSA for instructions on testing an installation. This issue has been patched in XWiki 14.4.8, 14.10.4 and 15.0-rc-1. Users are advised to upgrade. The fix commit `d9c88ddc` can also be applied manually to the impacted document `SkinsCode.XWikiSkinsSheet` and users unable to upgrade are advised to manually patch their installations. | ||||
| CVE-2023-36255 | 1 Eramba | 1 Eramba | 2024-11-21 | 8.8 High |
| An issue in Eramba Limited Eramba Enterprise and Community edition v.3.19.1 allows a remote attacker to execute arbitrary code via the path parameter in the URL. | ||||
| CVE-2023-34993 | 1 Fortinet | 1 Fortiwlm | 2024-11-21 | 9.6 Critical |
| A improper neutralization of special elements used in an os command ('os command injection') in Fortinet FortiWLM version 8.6.0 through 8.6.5 and 8.5.0 through 8.5.4 allows attacker to execute unauthorized code or commands via specifically crafted http get request parameters. | ||||
| CVE-2023-34960 | 1 Chamilo | 1 Chamilo | 2024-11-21 | 9.8 Critical |
| A command injection vulnerability in the wsConvertPpt component of Chamilo v1.11.* up to v1.11.18 allows attackers to execute arbitrary commands via a SOAP API call with a crafted PowerPoint name. | ||||
| CVE-2023-34259 | 1 Kyocera | 3 D-copia253mf Plus, D-copia253mf Plus Firmware, Taskalfa 4053ci | 2024-11-21 | 4.9 Medium |
| Kyocera TASKalfa 4053ci printers through 2VG_S000.002.561 allow /wlmdeu%2f%2e%2e%2f%2e%2e directory traversal to read arbitrary files on the filesystem, even files that require root privileges. NOTE: this issue exists because of an incomplete fix for CVE-2020-23575. | ||||
| CVE-2023-33831 | 1 Frangoteam | 1 Fuxa | 2024-11-21 | 9.8 Critical |
| A remote command execution (RCE) vulnerability in the /api/runscript endpoint of FUXA 1.1.13 allows attackers to execute arbitrary commands via a crafted POST request. | ||||
| CVE-2023-32077 | 1 Gravitl | 1 Netmaker | 2024-11-21 | 7.5 High |
| Netmaker makes networks with WireGuard. Prior to versions 0.17.1 and 0.18.6, hardcoded DNS key usage has been found in Netmaker allowing unauth users to interact with DNS API endpoints. The issue is patched in 0.17.1 and fixed in 0.18.6. If users are using 0.17.1, they should run `docker pull gravitl/netmaker:v0.17.1` and `docker-compose up -d`. This will switch them to the patched users. If users are using v0.18.0-0.18.5, they should upgrade to v0.18.6 or later. As a workaround, someone who is using version 0.17.1 can pull the latest docker image of the backend and restart the server. | ||||
| CVE-2023-31465 | 1 Fsmlabs | 1 Timekeeper | 2024-11-21 | 9.8 Critical |
| An issue was discovered in FSMLabs TimeKeeper 8.0.17 through 8.0.28. By intercepting requests from various timekeeper streams, it is possible to find the getsamplebacklog call. Some query parameters are passed directly in the URL and named arg[x], with x an integer starting from 1; it is possible to modify arg[2] to insert Bash code that will be executed directly by the server. | ||||
| CVE-2023-2640 | 1 Canonical | 2 Ubantu Kernel, Ubuntu Linux | 2024-11-21 | 7.8 High |
| On Ubuntu kernels carrying both c914c0e27eb0 and "UBUNTU: SAUCE: overlayfs: Skip permission checking for trusted.overlayfs.* xattrs", an unprivileged user may set privileged extended attributes on the mounted files, leading them to be set on the upper files without the appropriate security checks. | ||||