Total
4626 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-45849 | 1 Perforce | 1 Helix Core | 2024-11-21 | N/A | 9.0 CRITICAL |
| An arbitrary code execution which results in privilege escalation was discovered in Helix Core versions prior to 2023.2. Reported by Jason Geffner. | |||||
| CVE-2023-45751 | 1 Posimyth | 1 Nexter Extension | 2024-11-21 | N/A | 9.1 CRITICAL |
| Improper Control of Generation of Code ('Code Injection') vulnerability in POSIMYTH Nexter Extension.This issue affects Nexter Extension: from n/a through 2.0.3. | |||||
| CVE-2023-45735 | 1 Westermo | 2 L206-f2g, L206-f2g Firmware | 2024-11-21 | N/A | 8.0 HIGH |
| A potential attacker with access to the Westermo Lynx device may be able to execute malicious code that could affect the correct functioning of the device. | |||||
| CVE-2023-45560 | 1 Memberscard Project | 1 Memberscard | 2024-11-21 | N/A | 7.5 HIGH |
| An issue in Yasukawa memberscard v.13.6.1 allows attackers to send crafted notifications via leakage of the channel access token. | |||||
| CVE-2023-45311 | 1 Fsevents Project | 1 Fsevents | 2024-11-21 | N/A | 9.8 CRITICAL |
| fsevents before 1.2.11 depends on the https://fsevents-binaries.s3-us-west-2.amazonaws.com URL, which might allow an adversary to execute arbitrary code if any JavaScript project (that depends on fsevents) distributes code that was obtained from that URL at a time when it was controlled by an adversary. NOTE: some sources feel that this means that no version is affected any longer, because the URL is not controlled by an adversary. | |||||
| CVE-2023-44847 | 1 Seacms | 1 Seacms | 2024-11-21 | N/A | 7.2 HIGH |
| An issue in SeaCMS v.12.8 allows an attacker to execute arbitrary code via the admin_ Weixin.php component. | |||||
| CVE-2023-44846 | 1 Seacms | 1 Seacms | 2024-11-21 | N/A | 8.8 HIGH |
| An issue in SeaCMS v.12.8 allows an attacker to execute arbitrary code via the admin_ notify.php component. | |||||
| CVE-2023-44392 | 1 Garden | 1 Garden | 2024-11-21 | N/A | 8.2 HIGH |
| Garden provides automation for Kubernetes development and testing. Prior tov ersions 0.13.17 and 0.12.65, Garden has a dependency on the cryo library, which is vulnerable to code injection due to an insecure implementation of deserialization. Garden stores serialized objects using cryo in the Kubernetes `ConfigMap` resources prefixed with `test-result` and `run-result` to cache Garden test and run results. These `ConfigMaps` are stored either in the `garden-system` namespace or the configured user namespace. When a user invokes the command `garden test` or `garden run` objects stored in the `ConfigMap` are retrieved and deserialized. This can be used by an attacker with access to the Kubernetes cluster to store malicious objects in the `ConfigMap`, which can trigger a remote code execution on the users machine when cryo deserializes the object. In order to exploit this vulnerability, an attacker must have access to the Kubernetes cluster used to deploy garden remote environments. Further, a user must actively invoke either a `garden test` or `garden run` which has previously cached results. The issue has been patched in Garden versions `0.13.17` (Bonsai) and `0.12.65` (Acorn). Only Garden versions prior to these are vulnerable. No known workarounds are available. | |||||
| CVE-2023-44382 | 1 Octobercms | 1 October | 2024-11-21 | N/A | 9.1 CRITICAL |
| October is a Content Management System (CMS) and web platform to assist with development workflow. An authenticated backend user with the `editor.cms_pages`, `editor.cms_layouts`, or `editor.cms_partials` permissions who would normally not be permitted to provide PHP code to be executed by the CMS due to `cms.safe_mode` being enabled can write specific Twig code to escape the Twig sandbox and execute arbitrary PHP. This issue has been patched in 3.4.15. | |||||
| CVE-2023-44381 | 1 Octobercms | 1 October | 2024-11-21 | N/A | 4.9 MEDIUM |
| October is a Content Management System (CMS) and web platform to assist with development workflow. An authenticated backend user with the `editor.cms_pages`, `editor.cms_layouts`, or `editor.cms_partials` permissions who would normally not be permitted to provide PHP code to be executed by the CMS due to `cms.safe_mode` being enabled can craft a special request to include PHP code in the CMS template. This issue has been patched in version 3.4.15. | |||||
| CVE-2023-44141 | 1 Inkdrop | 1 Inkdrop | 2024-11-21 | N/A | 7.8 HIGH |
| Inkdrop prior to v5.6.0 allows a local attacker to conduct a code injection attack by having a legitimate user open a specially crafted markdown file. | |||||
| CVE-2023-44011 | 1 Mojoportal | 1 Mojoportal | 2024-11-21 | N/A | 9.8 CRITICAL |
| An issue in mojoPortal v.2.7.0.0 allows a remote attacker to execute arbitrary code via a crafted script to the layout.master skin file at the Skin management component. | |||||
| CVE-2023-43955 | 1 Fedirtsapana | 1 Tv Bro | 2024-11-21 | N/A | 9.8 CRITICAL |
| The com.phlox.tvwebbrowser TV Bro application through 2.0.0 for Android mishandles external intents through WebView. This allows attackers to execute arbitrary code, create arbitrary files. and perform arbitrary downloads via JavaScript that uses takeBlobDownloadData. | |||||
| CVE-2023-43792 | 1 Basercms | 1 Basercms | 2024-11-21 | N/A | 9.8 CRITICAL |
| baserCMS is a website development framework. In versions 4.6.0 through 4.7.6, there is a Code Injection vulnerability in the mail form of baserCMS. As of time of publication, no known patched versions are available. | |||||
| CVE-2023-43625 | 1 Siemens | 1 Simcenter Amesim | 2024-11-21 | N/A | 9.8 CRITICAL |
| A vulnerability has been identified in Simcenter Amesim (All versions < V2021.1). The affected application contains a SOAP endpoint that could allow an unauthenticated remote attacker to perform DLL injection and execute arbitrary code in the context of the affected application process. | |||||
| CVE-2023-43481 | 1 Tcl | 1 Browser Tv Web - Browsehere | 2024-11-21 | N/A | 9.8 CRITICAL |
| An issue in Shenzhen TCL Browser TV Web BrowseHere (aka com.tcl.browser) 6.65.022_dab24cc6_231221_gp allows a remote attacker to execute arbitrary JavaScript code via the com.tcl.browser.portal.browse.activity.BrowsePageActivity component. | |||||
| CVE-2023-43364 | 2024-11-21 | N/A | 9.8 CRITICAL | ||
| main.py in Searchor before 2.4.2 uses eval on CLI input, which may cause unexpected code execution. | |||||
| CVE-2023-43352 | 1 Cmsmadesimple | 1 Cms Made Simple | 2024-11-21 | N/A | 7.8 HIGH |
| An issue in CMSmadesimple v.2.2.18 allows a local attacker to execute arbitrary code via a crafted payload to the Content Manager Menu component. | |||||
| CVE-2023-43301 | 1 Linecorp | 1 Line | 2024-11-21 | N/A | 8.2 HIGH |
| An issue in DARTS SHOP MAXIM mini-app on Line v13.6.1 allows attackers to send crafted malicious notifications via leakage of the channel access token. | |||||
| CVE-2023-43270 | 1 Dst-admin Project | 1 Dst-admin | 2024-11-21 | N/A | 9.8 CRITICAL |
| dst-admin v1.5.0 was discovered to contain a remote command execution (RCE) vulnerability via the userId parameter at /home/playerOperate. | |||||