2023-12-20
2023-12-20 22:15Z
CRIT

CVE-2023-50985 — Tenda I29_firmware: i29 v1.0 V1.0.0.5 was discovered to contain a buffer overflow via the lanGw

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2023-50985

Tenda i29 v1.0 V1.0.0.5 was discovered to contain a buffer overflow via the lanGw parameter in the lanCfgSet function. CVSSv3.1 9.8 (CRITICAL) · EPSS 54th percentile

CWECWE 787VNDTendaTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2023-12-20
2023-12-20 22:15Z
CRIT

CVE-2023-50984 — Tenda I29_firmware: i29 v1.0 V1.0.0.5 was discovered to contain a buffer overflow via the ip

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2023-50984

Tenda i29 v1.0 V1.0.0.5 was discovered to contain a buffer overflow via the ip parameter in the spdtstConfigAndStart function. CVSSv3.1 9.8 (CRITICAL) · EPSS 54th percentile

CWECWE 787VNDTendaTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2023-12-20
2023-12-20 22:15Z
CRIT

CVE-2023-50983 — Tenda I29_firmware: i29 v1.0 V1.0.0.5 was discovered to contain a command injection vulnerability via the

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2023-50983

Tenda i29 v1.0 V1.0.0.5 was discovered to contain a command injection vulnerability via the sysScheduleRebootSet function. CVSSv3.1 9.8 (CRITICAL) · EPSS 81th percentile

CWECWE 77VNDTendaTYPVulnerability
9.8
CVSS v3.1
100
Edit Score
2023-12-18
2023-12-18 16:15Z
MED

CVE-2023-48795 — Openbsd Openssh: The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2023-48795

The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted (from the extension negotiation message), and a client and server may consequently end up with a connection for which some security features have been downgraded or disabled, aka a Terrapin attack. This occurs because the SSH Binary Packet Protocol (BPP), implemented by these extension CVSSv3.1 5.9 (MEDIUM) · EPSS 98th percentile

CWECWE 354VNDPuttyVNDFilezilla ProjectVNDPanicTYPVulnerability
5.9
CVSS v3.1
96
Edit Score
2023-12-15
2023-12-15 18:15Z
CRIT

CVE-2023-50918 — Misp-project Misp: app/Controller/AuditLogsController.php in MISP before 2.4.182 mishandles ACLs for audit logs.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2023-50918

app/Controller/AuditLogsController.php in MISP before 2.4.182 mishandles ACLs for audit logs. CVSSv3.1 9.8 (CRITICAL) · EPSS 51th percentile

VNDMispVNDMisp ProjectTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2023-12-15
2023-12-15 11:15Z
CRIT

CVE-2023-6553 — Backupbliss Backup_migration: The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2023-6553

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.3.7 via the /includes/backup-heart.php file. This is due to an attacker being able to control the values passed to an include, and subsequently leverage that to achieve remote code execution. This makes it possible for unauthenticated attackers to easily execute code on the server. CVSSv3.1 9.8 (CRITICAL) · EPSS 100th percentile

CWECWE 94VNDBackupblissVNDBackupTYPVulnerability
9.8
CVSS v3.1
100
Edit Score
2023-12-13
2023-12-13 14:15Z
HIGH

CVE-2023-47326 — Silverpeas Silverpeas: Core 6.3.1 is vulnerable to Cross Site Request Forgery (CSRF) via the Domain

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2023-47326

Silverpeas Core 6.3.1 is vulnerable to Cross Site Request Forgery (CSRF) via the Domain SQL Create function. CVSSv3.1 8.8 (HIGH) · EPSS 31th percentile

CWECWE 352VNDSilverpeasTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
728 × 90 / responsive · programmatic ad slot
2023-12-13
2023-12-13 14:15Z
HIGH

CVE-2023-47322 — Silverpeas Silverpeas: The "userModify" feature of Silverpeas Core 6.3.1 is vulnerable to Cross Site Request Forgery

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2023-47322

The "userModify" feature of Silverpeas Core 6.3.1 is vulnerable to Cross Site Request Forgery (CSRF) leading to privilege escalation. If an administrator goes to a malicious URL while being authenticated to the Silverpeas application, the CSRF with execute making the attacker an administrator user in the application. CVSSv3.1 8.8 (HIGH) · EPSS 32th percentile

CWECWE 352VNDSilverpeasTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2023-12-13
2023-12-13 14:15Z
HIGH

CVE-2023-47320 — Silverpeas Silverpeas: Core 6.3.1 is vulnerable to Incorrect Access Control.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2023-47320

Silverpeas Core 6.3.1 is vulnerable to Incorrect Access Control. An attacker with low privileges is able to execute the administrator-only function of putting the application in "Maintenance Mode" due to broken access control. This makes the application unavailable to all users. This affects Silverpeas Core 6.3.1 and below. CVSSv3.1 8.1 (HIGH) · EPSS 50th percentile

CWECWE 863VNDSilverpeasTYPVulnerability
8.1
CVSS v3.1
91
Edit Score
2023-12-07
2023-12-07 18:15Z
HIGH

CVE-2023-33413 — Supermicro M11sdv-4c-ln4f_firmware: The configuration functionality in the Intelligent Platform Management Interface (IPMI) baseboard management controller (BMC)

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2023-33413

The configuration functionality in the Intelligent Platform Management Interface (IPMI) baseboard management controller (BMC) implementation on Supermicro X11 and M11 based devices, with firmware versions through 3.17.02, allows remote authenticated users to execute arbitrary commands. CVSSv3.1 8.8 (HIGH) · EPSS 59th percentile

CWECWE 798VNDSupermicroVNDIntelligentTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2023-12-07
2023-12-07 18:15Z
HIGH

CVE-2023-33412 — Supermicro M11sdv-4c-ln4f_firmware: The web interface in the Intelligent Platform Management Interface (IPMI) baseboard management controller (BMC)

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2023-33412

The web interface in the Intelligent Platform Management Interface (IPMI) baseboard management controller (BMC) implementation on Supermicro X11 and M11 based devices, with firmware versions before 3.17.02, allows remote authenticated users to execute arbitrary commands via a crafted request targeting vulnerable cgi endpoints. CVSSv3.1 8.8 (HIGH) · EPSS 65th percentile

VNDSupermicroVNDIntelligentTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2023-12-07
2023-12-07 07:15Z
HIGH

CVE-2023-43303 — Linecorp Line: An issue in craftbeer bar canvas mini-app on Line v13.6.1 allows attackers to send

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2023-43303

An issue in craftbeer bar canvas mini-app on Line v13.6.1 allows attackers to send crafted malicious notifications via leakage of the channel access token (via captured network traffic). CVSSv3.1 8.2 (HIGH) · EPSS 41th percentile

VNDLinecorpTYPVulnerability
8.2
CVSS v3.1
91
Edit Score
2023-12-01
2023-12-01 14:15Z
CRIT

CVE-2023-5636 — Arslansoft_education_portal_project Arslansoft_education_portal: Unrestricted Upload of File with Dangerous Type vulnerability in ArslanSoft Education Portal allows Command

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2023-5636

Unrestricted Upload of File with Dangerous Type vulnerability in ArslanSoft Education Portal allows Command Injection. This issue affects Education Portal: before v1.1. CVSSv3.1 9.8 (CRITICAL) · EPSS 66th percentile

CWECWE 434VNDArslansoft Education Portal ProjectTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2023-12-01
2023-12-01 14:15Z
CRIT

CVE-2023-5634 — Arslansoft_education_portal_project Arslansoft_education_portal: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2023-5634

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in ArslanSoft Education Portal allows SQL Injection. This issue affects Education Portal: before v1.1. CVSSv3.1 9.8 (CRITICAL) · EPSS 30th percentile

CWECWE 89VNDArslansoft Education Portal ProjectTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2023-11-30
2023-11-30 15:15Z
MED

CVE-2023-40600 — Ewww Image_optimizer: Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Exactly WWW EWWW Image

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2023-40600

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Exactly WWW EWWW Image Optimizer. It works only when debug.log is turned on.This issue affects EWWW Image Optimizer: from n/a through 7.2.0. CVSSv3.1 5.3 (MEDIUM) · EPSS 98th percentile

CWECWE 200VNDEwwwTYPVulnerability
5.3
CVSS v3.1
95
Edit Score
2023-11-29
2023-11-29 01:15Z
CRIT

CVE-2023-23325 — Zumtobel Netlink_ccd_firmware: Netlink CCD Onboard 3.74 - Firmware 3.80 was discovered to contain a command

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2023-23325

Zumtobel Netlink CCD Onboard 3.74 - Firmware 3.80 was discovered to contain a command injection vulnerability via the NetHostname parameter. CVSSv3.1 9.8 (CRITICAL) · EPSS 78th percentile

CWECWE 78VNDZumtobelTYPVulnerability
9.8
CVSS v3.1
100
Edit Score
2023-11-29
2023-11-29 01:15Z
CRIT

CVE-2023-23324 — Zumtobel Netlink_ccd_firmware: Netlink CCD Onboard 3.74 - Firmware 3.80 was discovered to contain hardcoded credentials

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2023-23324

Zumtobel Netlink CCD Onboard 3.74 - Firmware 3.80 was discovered to contain hardcoded credentials for the Administrator account. CVSSv3.1 9.8 (CRITICAL) · EPSS 54th percentile

CWECWE 798VNDZumtobelTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2023-11-28
2023-11-28 21:15Z
CRIT

CVE-2023-48193 — Fit2cloud Jumpserver: Insecure Permissions vulnerability in JumpServer GPLv3 v.3.8.0 allows a remote attacker to execute arbitrary

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2023-48193

Insecure Permissions vulnerability in JumpServer GPLv3 v.3.8.0 allows a remote attacker to execute arbitrary code via bypassing the command filtering function. NOTE: this is disputed because command filtering is not intended to restrict what code can be run by authorized users who are allowed to execute files. CVSSv3.1 9.8 (CRITICAL) · EPSS 78th percentile

VNDFit2cloudTYPVulnerability
9.8
CVSS v3.1
100
Edit Score
2023-11-28
2023-11-28 12:15Z
HIGH

CVE-2023-6201 — Univera Panorama: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2023-6201

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Univera Computer System Panorama allows Command Injection. This issue affects Panorama: before 8.0. CVSSv3.1 8.8 (HIGH)

CWECWE 78VNDUniveraTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2023-11-23
2023-11-23 10:15Z
CRIT

CVE-2023-3631 — Medart_notification_panel_project Medart_notification_panel: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2023-3631

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Medart Health Services Medart Notification Panel allows SQL Injection.This issue affects Medart Notification Panel: through 20231123.  NOTE: The vendor was contacted early about this disclosure but did not respond in any way. CVSSv3.1 9.8 (CRITICAL) · EPSS 18th percentile

CWECWE 89VNDMedart Notification Panel ProjectTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2023-11-23
2023-11-23 09:15Z
CRIT

CVE-2023-3377 — Veribase Veribase: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2023-3377

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Veribilim Software Computer Veribase allows SQL Injection.This issue affects Veribase: through 20231123.  NOTE: The vendor was contacted early about this disclosure but did not respond in any way. CVSSv3.1 9.8 (CRITICAL) · EPSS 23th percentile

CWECWE 89VNDVeribaseTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2023-11-22
2023-11-22 16:15Z
HIGH

CVE-2023-6009 — Userproplugin Userpro: The UserPro plugin for WordPress is vulnerable to privilege escalation in versions up to

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2023-6009

The UserPro plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 5.1.4 due to insufficient restriction on the 'userpro_update_user_profile' function. This makes it possible for authenticated attackers, with minimal permissions such as a subscriber, to modify their user role by supplying the 'wp_capabilities' parameter during a profile update. CVSSv3.1 8.8 (HIGH) · EPSS 36th percentile

CWECWE 266VNDUserpropluginVNDUserproTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2023-11-22
2023-11-22 16:15Z
HIGH

CVE-2023-5822 — Codedropz Drag_and_drop_multiple_file_upload_-_contact_form_7: The Drag and Drop Multiple File Upload - Contact Form 7 plugin for WordPress

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2023-5822

The Drag and Drop Multiple File Upload - Contact Form 7 plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in the 'dnd_upload_cf7_upload' function in versions up to, and including, 1.3.7.3. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. This can be exploited if a user authorized to edit form, which means editor privile CVSSv3.1 8.1 (HIGH) · EPSS 89th percentile

CWECWE 434VNDCodedropzVNDDragTYPVulnerability
8.1
CVSS v3.1
92
Edit Score
2023-11-22
2023-11-22 16:15Z
HIGH

CVE-2023-5815 — Infornweb News_\&_blog_designer_pack: The News & Blog Designer Pack – WordPress Blog Plugin — (Blog Post Grid

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2023-5815

The News & Blog Designer Pack – WordPress Blog Plugin — (Blog Post Grid, Blog Post Slider, Blog Post Carousel, Blog Post Ticker, Blog Post Masonry) plugin for WordPress is vulnerable to Remote Code Execution via Local File Inclusion in all versions up to, and including, 3.4.1 via the bdp_get_more_post function hooked via a nopriv AJAX. This is due to function utilizing an unsafe extract() method to extract values from the POST variable and passing that input to the include() CVSSv3.1 8.1 (HIGH) · EPSS 98th percentile

CWECWE 98VNDInfornwebTYPVulnerability
8.1
CVSS v3.1
100
Edit Score
2023-11-22
2023-11-22 16:15Z
HIGH

CVE-2023-5466 — Gopiplus Wp_anything_slider: The Wp anything slider plugin for WordPress is vulnerable to SQL Injection via the

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2023-5466

The Wp anything slider plugin for WordPress is vulnerable to SQL Injection via the plugin's shortcode in versions up to, and including, 9.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers with subscriber-level and above permissions to append additional SQL queries into already existing queries that can be used to extract sensitive information from the d CVSSv3.1 8.8 (HIGH) · EPSS 63th percentile

CWECWE 89VNDGopiplusTYPVulnerability
8.8
CVSS v3.1
94
Edit Score