Vulnerabilities (CVE)

Total 210712 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2023-27042 2023-03-24 N/A N/A
Tenda AX3 V16.03.12.11 is vulnerable to Buffer Overflow via /goform/SetFirewallCfg.
CVE-2023-23149 2023-03-24 N/A N/A
DEK-1705 <=Firmware:34.23.1 device was discovered to have a command execution vulnerability.
CVE-2022-45597 2023-03-24 N/A N/A
ComponentSpace.Saml2 4.4.0 Missing SSL Certificate Validation.
CVE-2023-24258 1 Spip 1 Spip 2023-03-24 N/A 9.8 CRITICAL
SPIP v4.1.5 and earlier was discovered to contain a SQL injection vulnerability via the _oups parameter. This vulnerability allows attackers to execute arbitrary code via a crafted POST request.
CVE-2022-24197 1 Itextpdf 1 Itext 2023-03-24 4.3 MEDIUM 6.5 MEDIUM
iText v7.1.17 was discovered to contain a stack-based buffer overflow via the component ByteBuffer.append, which allows attackers to cause a Denial of Service (DoS) via a crafted PDF file.
CVE-2023-28150 2023-03-24 N/A N/A
An issue was discovered in Independentsoft JODF before 1.1.110. The API is prone to XML external entity (XXE) injection via a remote DTD in a DOCX file.
CVE-2023-27055 2023-03-24 N/A N/A
Aver Information Inc PTZApp2 v20.01044.48 allows attackers to access sensitive files via a crafted GET request.
CVE-2023-26864 2023-03-24 N/A N/A
SQL injection vulnerability found in PrestaShop smplredirectionsmanager v.1.1.19 and before allow a remote attacker to gain privileges via the SmplTools::getMatchingRedirectionsFromPartscomponent.
CVE-2023-1583 2023-03-24 N/A N/A
A NULL pointer dereference was found in io_file_bitmap_get in io_uring/filetable.c in the io_uring sub-component in the Linux Kernel. When fixed files are unregistered, some context information (file_alloc_{start,end} and alloc_hint) is not cleared. A subsequent request that has auto index selection enabled via IORING_FILE_INDEX_ALLOC can cause a NULL pointer dereference. An unprivileged user can use the flaw to cause a system crash.
CVE-2022-24196 1 Itextpdf 1 Itext 2023-03-24 4.3 MEDIUM 6.5 MEDIUM
iText v7.1.17, up to (exluding)": 7.1.18 and 7.2.2 was discovered to contain an out-of-memory error via the component readStreamBytesRaw, which allows attackers to cause a Denial of Service (DoS) via a crafted PDF file.
CVE-2021-43113 2 Debian, Itextpdf 2 Debian Linux, Itext 2023-03-24 7.5 HIGH 9.8 CRITICAL
iTextPDF in iText 7 and up to (excluding 7.1.17 allows command injection via a CompareTool filename that is mishandled on the gs (aka Ghostscript) command line in
CVE-2023-28435 2023-03-24 N/A N/A
Dataease is an open source data visualization and analysis tool. The permissions for the file upload interface is not checked so users who are not logged in can upload directly to the background. The file type also goes unchecked, users could upload any type of file. These vulnerabilities has been fixed in version 1.18.5.
CVE-2023-1578 1 Pimcore 1 Pimcore 2023-03-24 N/A 8.8 HIGH
SQL Injection in GitHub repository pimcore/pimcore prior to 10.5.19.
CVE-2023-25069 2 Linux, Trendmicro 2 Linux Kernel, Txone Stellarone 2023-03-24 N/A 8.8 HIGH
TXOne StellarOne has an improper access control privilege escalation vulnerability in every version before V2.0.1160 that could allow a malicious, falsely authenticated user to escalate his privileges to administrator level. With these privileges, an attacker could perform actions they are not authorized to. Please note: an attacker must first obtain a low-privileged authenticated user's profile on the target system in order to exploit this vulnerability.
CVE-2023-27856 1 Rockwellautomation 1 Thinmanager 2023-03-24 N/A 7.5 HIGH
In affected versions, path traversal exists when processing a message of type 8 in Rockwell Automation's ThinManager ThinServer. An unauthenticated remote attacker can exploit this vulnerability to download arbitrary files on the disk drive where ThinServer.exe is installed.
CVE-2022-4095 1 Linux 1 Linux Kernel 2023-03-24 N/A 7.8 HIGH
A use-after-free flaw was found in Linux kernel before 5.19.2. This issue occurs in cmd_hdl_filter in drivers/staging/rtl8712/rtl8712_cmd.c, allowing an attacker to launch a local denial of service attack and gain escalation of privileges.
CVE-2023-1281 1 Linux 1 Linux Kernel 2023-03-24 N/A 7.8 HIGH
Use After Free vulnerability in Linux kernel traffic control index filter (tcindex) allows Privilege Escalation. The imperfect hash area can be updated while packets are traversing, which will cause a use-after-free when 'tcf_exts_exec()' is called with the destroyed tcf_ext. A local attacker user can use this vulnerability to elevate its privileges to root. This issue affects Linux Kernel: from 4.14 before git commit ee059170b1f7e94e55fa6cadee544e176a6e59c2.
CVE-2023-28448 2023-03-24 N/A N/A
Versionize is a framework for version tolerant serializion/deserialization of Rust data structures, designed for usecases that need fast deserialization times and minimal size overhead. An issue was discovered in the ‘Versionize::deserialize’ implementation provided by the ‘versionize’ crate for ‘vmm_sys_utils::fam::FamStructWrapper', which can lead to out of bounds memory accesses. The impact started with version 0.1.1. The issue was corrected in version 0.1.10 by inserting a check that verifies, for any deserialized header, the lengths of compared flexible arrays are equal and aborting deserialization otherwise.
CVE-2023-28446 2023-03-24 N/A N/A
Deno is a simple, modern and secure runtime for JavaScript and TypeScript that uses V8 and is built in Rust. Arbitrary program names without any ANSI filtering allows any malicious program to clear the first 2 lines of a `op_spawn_child` or `op_kill` prompt and replace it with any desired text. This works with any command on the respective platform, giving the program the full ability to choose what program they wanted to run. This problem can not be exploited on systems that do not attach an interactive prompt (for example headless servers). This issue has been patched in version 1.31.2.
CVE-2023-28444 2023-03-24 N/A N/A
angular-server-side-configuration helps configure an angular application at runtime on the server or in a docker container via environment variables. angular-server-side-configuration detects used environment variables in TypeScript (.ts) files during build time of an Angular CLI project. The detected environment variables are written to a ngssc.json file in the output directory. During deployment of an Angular based app, the environment variables based on the variables from ngssc.json are inserted into the apps index.html (or defined index file). With version 15.0.0 the environment variable detection was widened to the entire project, relative to the angular.json file from the Angular CLI. In a monorepo setup, this could lead to environment variables intended for a backend/service to be detected and written to the ngssc.json, which would then be populated and exposed via index.html. This has NO IMPACT, in a plain Angular project that has no backend component. This vulnerability has been mitigated in version 15.1.0, by adding an option `searchPattern` which restricts the detection file range by default. As a workaround, manually edit or create ngssc.json or run script after ngssc.json generation.