Total
967 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2023-38896 | 1 Langchain | 1 Langchain | 2023-12-10 | N/A | 9.8 CRITICAL |
An issue in Harrison Chase langchain v.0.0.194 and before allows a remote attacker to execute arbitrary code via the from_math_prompt and from_colored_object_prompt functions. | |||||
CVE-2020-28848 | 1 Churchcrm | 1 Churchcrm | 2023-12-10 | N/A | 8.8 HIGH |
CSV Injection vulnerability in ChurchCRM version 4.2.0, allows remote attackers to execute arbitrary code via crafted CSV file. | |||||
CVE-2022-4145 | 1 Redhat | 1 Openshift Container Platform | 2023-12-10 | N/A | 5.3 MEDIUM |
A content spoofing flaw was found in OpenShift's OAuth endpoint. This flaw allows a remote, unauthenticated attacker to inject text into a webpage, enabling the obfuscation of a phishing operation. | |||||
CVE-2023-43661 | 1 All-three | 1 Cachet | 2023-12-10 | N/A | 8.8 HIGH |
Cachet, the open-source status page system. Prior to the 2.4 branch, a template functionality which allows users to create templates allows them to execute any code on the server during the bad filtration and old twig version. Commit 6fb043e109d2a262ce3974e863c54e9e5f5e0587 of the 2.4 branch contains a patch for this issue. | |||||
CVE-2023-38609 | 1 Apple | 1 Macos | 2023-12-10 | N/A | 7.5 HIGH |
An injection issue was addressed with improved input validation. This issue is fixed in macOS Ventura 13.5. An app may be able to bypass certain Privacy preferences. | |||||
CVE-2023-4197 | 1 Dolibarr | 1 Dolibarr Erp\/crm | 2023-12-10 | N/A | 8.8 HIGH |
Improper input validation in Dolibarr ERP CRM <= v18.0.1 fails to strip certain PHP code from user-supplied input when creating a Website, allowing an attacker to inject and evaluate arbitrary PHP code. | |||||
CVE-2023-36250 | 1 Gnome | 1 Gnome-time Tracker | 2023-12-10 | N/A | 7.8 HIGH |
CSV Injection vulnerability in GNOME time tracker version 3.0.2, allows local attackers to execute arbitrary code via crafted .tsv file when creating a new record. | |||||
CVE-2023-43835 | 1 Superstorefinder | 1 Super Store Finder | 2023-12-10 | N/A | 8.8 HIGH |
Super Store Finder 3.7 and below is vulnerable to authenticated Arbitrary PHP Code Injection that could lead to Remote Code Execution when settings overwrite config.inc.php content. | |||||
CVE-2023-41039 | 1 Zope | 1 Restrictedpython | 2023-12-10 | N/A | 7.7 HIGH |
RestrictedPython is a restricted execution environment for Python to run untrusted code. Python's "format" functionality allows someone controlling the format string to "read" all objects accessible through recursive attribute lookup and subscription from objects he can access. This can lead to critical information disclosure. With `RestrictedPython`, the format functionality is available via the `format` and `format_map` methods of `str` (and `unicode`) (accessed either via the class or its instances) and via `string.Formatter`. All known versions of `RestrictedPython` are vulnerable. This issue has been addressed in commit `4134aedcff1` which has been included in the 5.4 and 6.2 releases. Users are advised to upgrade. There are no known workarounds for this vulnerability. | |||||
CVE-2023-3922 | 1 Gitlab | 1 Gitlab | 2023-12-10 | N/A | 7.1 HIGH |
An issue has been discovered in GitLab affecting all versions starting from 8.15 before 16.2.8, all versions starting from 16.3 before 16.3.5, all versions starting from 16.4 before 16.4.1. It was possible to hijack some links and buttons on the GitLab UI to a malicious page. | |||||
CVE-2023-44270 | 1 Postcss | 1 Postcss | 2023-12-10 | N/A | 5.3 MEDIUM |
An issue was discovered in PostCSS before 8.4.31. The vulnerability affects linters using PostCSS to parse external untrusted CSS. An attacker can prepare CSS in such a way that it will contains parts parsed by PostCSS as a CSS comment. After processing by PostCSS, it will be included in the PostCSS output in CSS nodes (rules, properties) despite being included in a comment. | |||||
CVE-2022-24989 | 1 Terra-master | 30 F2-210, F2-221, F2-223 and 27 more | 2023-12-10 | N/A | 9.8 CRITICAL |
TerraMaster NAS through 4.2.30 allows remote WAN attackers to execute arbitrary code as root via the raidtype and diskstring parameters for PHP Object Instantiation to the api.php?mobile/createRaid URI. (Shell metacharacters can be placed in raidtype because popen is used without any sanitization.) The credentials from CVE-2022-24990 exploitation can be used. | |||||
CVE-2023-1523 | 1 Canonical | 2 Snapd, Ubuntu Linux | 2023-12-10 | N/A | 10.0 CRITICAL |
Using the TIOCLINUX ioctl request, a malicious snap could inject contents into the input of the controlling terminal which could allow it to cause arbitrary commands to be executed outside of the snap sandbox after the snap exits. Graphical terminal emulators like xterm, gnome-terminal and others are not affected - this can only be exploited when snaps are run on a virtual console. | |||||
CVE-2023-4767 | 1 Zohocorp | 1 Manageengine Desktop Central | 2023-12-10 | N/A | 6.1 MEDIUM |
A CRLF injection vulnerability has been found in ManageEngine Desktop Central affecting version 9.1.0. This vulnerability could allow a remote attacker to inject arbitrary HTTP headers and perform HTTP response splitting attacks via the fileName parameter in /STATE_ID/1613157927228/InvSWMetering.csv. | |||||
CVE-2020-24275 | 1 Swoole | 1 Swoole | 2023-12-10 | N/A | 6.5 MEDIUM |
A HTTP response header injection vulnerability in Swoole v4.5.2 allows attackers to execute arbitrary code via supplying a crafted URL. | |||||
CVE-2023-39213 | 1 Zoom | 2 Virtual Desktop Infrastructure, Zoom | 2023-12-10 | N/A | 9.8 CRITICAL |
Improper neutralization of special elements in Zoom Desktop Client for Windows and Zoom VDI Client before 5.15.2 may allow an unauthenticated user to enable an escalation of privilege via network access. | |||||
CVE-2023-4393 | 1 Liquidfiles | 1 Liquidfiles | 2023-12-10 | N/A | 6.1 MEDIUM |
HTML and SMTP injections on the registration page of LiquidFiles versions 3.7.13 and below, allow an attacker to perform more advanced phishing attacks against an organization. | |||||
CVE-2023-31209 | 1 Tribe29 | 1 Checkmk | 2023-12-10 | N/A | 8.8 HIGH |
Improper neutralization of active check command arguments in Checkmk < 2.1.0p32, < 2.0.0p38, < 2.2.0p4 leads to arbitrary command execution for authenticated users. | |||||
CVE-2022-47583 | 1 Mintty Project | 1 Mintty | 2023-12-10 | N/A | 9.8 CRITICAL |
Terminal character injection in Mintty before 3.6.3 allows code execution via unescaped output to the terminal. | |||||
CVE-2023-26148 | 1 Ithewei | 1 Libhv | 2023-12-10 | N/A | 5.3 MEDIUM |
All versions of the package ithewei/libhv are vulnerable to CRLF Injection when untrusted user input is used to set request headers. An attacker can add the \r\n (carriage return line feeds) characters and inject additional headers in the request sent. |