Total
304 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-42183 | 1 Lockss | 1 Classic Lockss Daemon | 2024-11-21 | 5.3 Medium |
| lockss-daemon (aka Classic LOCKSS Daemon) before 1.77.3 performs post-Unicode normalization, which may allow bypass of intended access restrictions, such as when U+1FEF is converted to a backtick. | ||||
| CVE-2023-41889 | 1 Ss-proj | 1 Shirasagi | 2024-11-21 | 5.3 Medium |
| SHIRASAGI is a Content Management System. Prior to version 1.18.0, SHIRASAGI is vulnerable to a Post-Unicode normalization issue. This happens when a logical validation or a security check is performed before a Unicode normalization. The Unicode character equivalent of a character would resurface after the normalization. The fix is initially performing the Unicode normalization and then strip for all whitespaces and then checking for a blank string. This issue has been fixed in version 1.18.0. | ||||
| CVE-2023-40453 | 1 Docker | 1 Machine | 2024-11-21 | 6.5 Medium |
| Docker Machine through 0.16.2 allows an attacker, who has control of a worker node, to provide crafted version data, which might potentially trick an administrator into performing an unsafe action (via escape sequence injection), or might have a data size that causes a denial of service to a bastion node. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. | ||||
| CVE-2023-40014 | 1 Openzeppelin | 2 Openzeppelin Contracts, Openzeppelin Contracts-upgradable | 2024-11-21 | 5.3 Medium |
| OpenZeppelin Contracts is a library for secure smart contract development. Starting in version 4.0.0 and prior to version 4.9.3, contracts using `ERC2771Context` along with a custom trusted forwarder may see `_msgSender` return `address(0)` in calls that originate from the forwarder with calldata shorter than 20 bytes. This combination of circumstances does not appear to be common, in particular it is not the case for `MinimalForwarder` from OpenZeppelin Contracts, or any deployed forwarder the team is aware of, given that the signer address is appended to all calls that originate from these forwarders. The problem has been patched in v4.9.3. | ||||
| CVE-2023-3668 | 1 Froxlor | 1 Froxlor | 2024-11-21 | 7.2 High |
| Improper Encoding or Escaping of Output in GitHub repository froxlor/froxlor prior to 2.0.21. | ||||
| CVE-2023-3552 | 1 Teampass | 1 Teampass | 2024-11-21 | 5.4 Medium |
| Improper Encoding or Escaping of Output in GitHub repository nilsteampassnet/teampass prior to 3.0.10. | ||||
| CVE-2023-3481 | 1 Google | 1 Critters | 2024-11-21 | 5.7 Medium |
| Critters versions 0.0.17-0.0.19 have an issue when parsing the HTML, which leads to a potential cross-site scripting (XSS) bug. We recommend upgrading to version 0.0.20 of the extension. | ||||
| CVE-2023-39527 | 1 Prestashop | 1 Prestashop | 2024-11-21 | 8.3 High |
| PrestaShop is an open source e-commerce web application. Versions prior to 1.7.8.10, 8.0.5, and 8.1.1 are vulnerable to cross-site scripting through the `isCleanHTML` method. Versions 1.7.8.10, 8.0.5, and 8.1.1 contain a patch. There are no known workarounds. | ||||
| CVE-2023-39390 | 1 Huawei | 2 Emui, Harmonyos | 2024-11-21 | 7.5 High |
| Vulnerability of input parameter verification in certain APIs in the window management module. Successful exploitation of this vulnerability may cause the device to restart. | ||||
| CVE-2023-39386 | 1 Huawei | 2 Emui, Harmonyos | 2024-11-21 | 7.5 High |
| Vulnerability of input parameters being not strictly verified in the PMS module. Successful exploitation of this vulnerability may cause newly installed apps to fail to restart. | ||||
| CVE-2023-39382 | 1 Huawei | 2 Emui, Harmonyos | 2024-11-21 | 7.5 High |
| Input verification vulnerability in the audio module. Successful exploitation of this vulnerability may cause virtual machines (VMs) to restart. | ||||
| CVE-2023-39381 | 1 Huawei | 2 Emui, Harmonyos | 2024-11-21 | 7.5 High |
| Input verification vulnerability in the storage module. Successful exploitation of this vulnerability may cause the device to restart. | ||||
| CVE-2023-38316 | 1 Opennds | 1 Captive Portal | 2024-11-21 | 9.8 Critical |
| An issue was discovered in OpenNDS Captive Portal before version 10.1.2. When the custom unescape callback is enabled, attackers can execute arbitrary OS commands by inserting them into the URL portion of HTTP GET requests. Affected OpenNDS Captive Portal before version 10.1.2 fixed in OpenWrt master, OpenWrt 23.05 and OpenWrt 22.03 on 28. August 2023 by updating OpenNDS to version 10.1.3. | ||||
| CVE-2023-37875 | 1 Wftpserver | 1 Wing Ftp Server | 2024-11-21 | 3 Low |
| Improper encoding or escaping of output in Wing FTP Server (User Web Client) allows Cross-Site Scripting (XSS).This issue affects Wing FTP Server: <= 7.2.0. | ||||
| CVE-2023-36921 | 1 Sap | 1 Solution Manager | 2024-11-21 | 7.2 High |
| SAP Solution Manager (Diagnostics agent) - version 7.20, allows an attacker to tamper with headers in a client request. This misleads SAP Diagnostics Agent to serve poisoned content to the server. On successful exploitation, the attacker can cause a limited impact on confidentiality and availability of the application. | ||||
| CVE-2023-36919 | 1 Sap | 1 Enable Now | 2024-11-21 | 5.3 Medium |
| In SAP Enable Now - versions WPB_MANAGER 1.0, WPB_MANAGER_CE 10, WPB_MANAGER_HANA 10, ENABLE_NOW_CONSUMP_DEL 1704, the Referrer-Policy response header is not implemented, allowing an unauthenticated attacker to obtain referrer details, resulting in information disclosure. | ||||
| CVE-2023-35941 | 2 Envoyproxy, Redhat | 2 Envoy, Service Mesh | 2024-11-21 | 8.6 High |
| Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to versions 1.27.0, 1.26.4, 1.25.9, 1.24.10, and 1.23.12, a malicious client is able to construct credentials with permanent validity in some specific scenarios. This is caused by the some rare scenarios in which HMAC payload can be always valid in OAuth2 filter's check. Versions 1.27.0, 1.26.4, 1.25.9, 1.24.10, and 1.23.12 have a fix for this issue. As a workaround, avoid wildcards/prefix domain wildcards in the host's domain configuration. | ||||
| CVE-2023-34036 | 1 Vmware | 1 Spring Hateoas | 2024-11-21 | 5.3 Medium |
| Reactive web applications that use Spring HATEOAS to produce hypermedia-based responses might be exposed to malicious forwarded headers if they are not behind a trusted proxy that ensures correctness of such headers, or if they don't have anything else in place to handle (and possibly discard) forwarded headers either in WebFlux or at the level of the underlying HTTP server. For the application to be affected, it needs to satisfy the following requirements: * It needs to use the reactive web stack (Spring WebFlux) and Spring HATEOAS to create links in hypermedia-based responses. * The application infrastructure does not guard against clients submitting (X-)Forwarded… headers. | ||||
| CVE-2023-2200 | 1 Gitlab | 1 Gitlab | 2024-11-21 | 4.1 Medium |
| An issue has been discovered in GitLab CE/EE affecting all versions starting from 7.14 before 15.11.10, all versions starting from 16.0 before 16.0.6, all versions starting from 16.1 before 16.1.1, which allows an attacker to inject HTML in an email address field. | ||||
| CVE-2023-28738 | 2 Intel, Intel Nuc Bios Firmware | 13 Nuc 7 Essential Nuc7cjysamn, Nuc 7 Essential Nuc7cjysamn Firmware, Nuc Kit Nuc7cjyh and 10 more | 2024-11-21 | 7.5 High |
| Improper input validation for some Intel NUC BIOS firmware before version JY0070 may allow a privileged user to potentially enable escalation of privilege via local access. | ||||