The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.
| ID | Description | Priority | Modified date | Fixed Release |
|---|---|---|---|---|
| CVE-2023-4867 | A vulnerability was found in Xintian Smart Table Integrated Management System 5.6.9. It has been classified as critical. Affected is an unknown function of the file /SysManage/AddUpdateSites.aspx of the component Added Site Page. The manipulation of the argument TbxSiteName leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-239352. | -- | Sep 10, 2023 | n/a |
| CVE-2023-4866 | A vulnerability was found in SourceCodester Online Tours & Travels Management System 1.0 and classified as critical. This issue affects the function exec of the file booking.php. The manipulation of the argument id leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-239351. | -- | Sep 10, 2023 | n/a |
| CVE-2023-4865 | A vulnerability has been found in SourceCodester Take-Note App 1.0 and classified as problematic. This vulnerability affects unknown code. The manipulation leads to cross-site request forgery. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-239350 is the identifier assigned to this vulnerability. | -- | Sep 10, 2023 | n/a |
| CVE-2023-4864 | A vulnerability, which was classified as problematic, was found in SourceCodester Take-Note App 1.0. This affects an unknown part of the file index.php. The manipulation of the argument noteContent with the input <script>alert(\'xss\')</script> leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-239349 was assigned to this vulnerability. | -- | Sep 10, 2023 | n/a |
| CVE-2023-4863 | Heap buffer overflow in libwebp in Google Chrome prior to 116.0.5845.187 and libwebp 1.3.2 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. (Chromium security severity: Critical) | -- | Sep 12, 2023 | n/a |
| CVE-2023-4862 | The File Manager Pro WordPress plugin before 1.8.1 does not adequately validate and escape some inputs, leading to XSS by high-privilege users. | -- | Oct 17, 2023 | n/a |
| CVE-2023-4861 | The File Manager Pro WordPress plugin before 1.8.1 allows admin users to upload arbitrary files, even in environments where such a user should not be able to gain full control of the server, such as a multisite installation. This leads to remote code execution. | -- | Oct 17, 2023 | n/a |
| CVE-2023-4858 | The Simple Table Manager WordPress plugin through 1.5.6 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | -- | Nov 7, 2023 | n/a |
| CVE-2023-4857 | An authentication bypass vulnerability was identified in SMM/SMM2 and FPC that could allow an authenticated user to execute certain IPMI calls that could lead to exposure of limited system information. | -- | Apr 15, 2024 | n/a |
| CVE-2023-4856 | A format string vulnerability was identified in SMM/SMM2 and FPC that could allow an authenticated user to execute arbitrary commands on a specific API endpoint. | -- | Apr 15, 2024 | n/a |
| CVE-2023-4855 | A command injection vulnerability was identified in SMM/SMM2 and FPC that could allow an authenticated user with elevated privileges to execute unauthorized commands via IPMI. | -- | Apr 15, 2024 | n/a |
| CVE-2023-4853 | A flaw was found in Quarkus where HTTP security policies are not sanitizing certain character permutations correctly when accepting requests, resulting in incorrect evaluation of permissions. This issue could allow an attacker to bypass the security policy altogether, resulting in unauthorized endpoint access and possibly a denial of service. | -- | Sep 21, 2023 | n/a |
| CVE-2023-4852 | A vulnerability was found in IBOS OA 4.5.5 and classified as critical. This issue affects some unknown processing of the file ?r=dashboard/database/optimize. The manipulation leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-239261 was assigned to this vulnerability. | -- | Sep 10, 2023 | n/a |
| CVE-2023-4851 | A vulnerability has been found in IBOS OA 4.5.5 and classified as critical. This vulnerability affects unknown code of the file ?r=dashboard/position/edit&op=member. The manipulation leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-239260. | -- | Sep 10, 2023 | n/a |
| CVE-2023-4850 | A vulnerability, which was classified as critical, was found in IBOS OA 4.5.5. This affects an unknown part of the file ?r=dashboard/position/del. The manipulation leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-239259. | -- | Sep 10, 2023 | n/a |
| CVE-2023-4849 | A vulnerability, which was classified as critical, has been found in IBOS OA 4.5.5. Affected by this issue is some unknown functionality of the file ?r=file/dashboard/trash&op=del. The manipulation of the argument fids leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-239258 is the identifier assigned to this vulnerability. | -- | Sep 10, 2023 | n/a |
| CVE-2023-4848 | A vulnerability classified as critical was found in SourceCodester Simple Book Catalog App 1.0. Affected by this vulnerability is an unknown functionality of the file delete_book.php. The manipulation of the argument delete leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-239257 was assigned to this vulnerability. | -- | Sep 10, 2023 | n/a |
| CVE-2023-4847 | A vulnerability classified as problematic has been found in SourceCodester Simple Book Catalog App 1.0. Affected is an unknown function of the component Update Book Form. The manipulation of the argument book_title/book_author leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-239256. | -- | Sep 10, 2023 | n/a |
| CVE-2023-4846 | A vulnerability was found in SourceCodester Simple Membership System 1.0. It has been rated as critical. This issue affects some unknown processing of the file delete_member.php. The manipulation of the argument mem_id leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-239255. | -- | Sep 13, 2023 | n/a |
| CVE-2023-4845 | A vulnerability was found in SourceCodester Simple Membership System 1.0. It has been declared as critical. This vulnerability affects unknown code of the file account_edit_query.php. The manipulation of the argument admin_id leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-239254 is the identifier assigned to this vulnerability. | -- | Sep 13, 2023 | n/a |
| CVE-2023-4844 | A vulnerability was found in SourceCodester Simple Membership System 1.0. It has been classified as critical. This affects an unknown part of the file club_edit_query.php. The manipulation of the argument club_id leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-239253 was assigned to this vulnerability. | -- | Sep 11, 2023 | n/a |
| CVE-2023-4843 | Pega Platform versions 7.1 to 8.8.3 are affected by an HTML Injection issue with a name field utilized in Visual Business Director, however this field can only be modified by an authenticated administrative user. | -- | Sep 12, 2023 | n/a |
| CVE-2023-4842 | The Social Sharing Plugin - Social Warfare plugin for WordPress is vulnerable to Stored Cross-Site Scripting via \'social_warfare\' shortcode in versions up to, and including, 4.4.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | -- | Nov 7, 2023 | n/a |
| CVE-2023-4841 | The Feeds for YouTube for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via \'youtube-feed\' shortcode in versions up to, and including, 2.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | -- | Sep 14, 2023 | n/a |
| CVE-2023-4840 | The MapPress Maps for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via \'mappress\' shortcode in versions up to, and including, 2.88.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | -- | Sep 12, 2023 | n/a |
| CVE-2023-4839 | The WP Go Maps for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in versions up to, and including, 9.0.32 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. | -- | Mar 13, 2024 | n/a |
| CVE-2023-4838 | The Simple Download Counter plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin\'s shortcodes in versions up to, and including, 1.6 due to insufficient input sanitization and output escaping on user supplied attributes like \'before\' and \'after\'. This makes it possible for authenticated attackers, with contributor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | -- | Sep 13, 2023 | n/a |
| CVE-2023-4837 | SmodBIP is vulnerable to Cross-Site Request Forgery, that could be used to induce logged in users to perform unintended actions, including creation of additional accounts with administrative privileges. This issue affects all versions of SmodBIP. SmodBIP is no longer maintained and the vulnerability will not be fixed. | -- | Oct 10, 2023 | n/a |
| CVE-2023-4836 | The WordPress File Sharing Plugin WordPress plugin before 2.0.5 does not check authorization before displaying files and folders, allowing users to gain access to those filed by manipulating IDs which can easily be brute forced | -- | Oct 31, 2023 | n/a |
| CVE-2023-4835 | Improper Neutralization of Special Elements used in an SQL Command (\'SQL Injection\') vulnerability in CF Software Oil Management Software allows SQL Injection.This issue affects Oil Management Software: before 20230912 . | -- | Sep 15, 2023 | n/a |
| CVE-2023-4834 | In Red Lion Europe mbCONNECT24 and mymbCONNECT24 and Helmholz myREX24 and myREX24.virtual up to and including 2.14.2 an improperly implemented access validation allows an authenticated, low privileged attacker to gain read access to limited, non-critical device information in his account he should not have access to. | -- | Oct 16, 2023 | n/a |
| CVE-2023-4833 | Improper Neutralization of Special Elements used in an SQL Command (\'SQL Injection\') vulnerability in Besttem Network Marketing Software allows SQL Injection.This issue affects Network Marketing Software: before 1.0.2309.6. | -- | Sep 15, 2023 | n/a |
| CVE-2023-4832 | Improper Neutralization of Special Elements used in an SQL Command (\'SQL Injection\') vulnerability in Aceka Company Management allows SQL Injection.This issue affects Company Management: before 3072 . | -- | Sep 14, 2023 | n/a |
| CVE-2023-4831 | Improper Neutralization of Special Elements used in an SQL Command (\'SQL Injection\') vulnerability in Ncode Ncep allows SQL Injection.This issue affects Ncep: before 20230914 . | -- | Sep 15, 2023 | n/a |
| CVE-2023-4830 | Improper Neutralization of Special Elements used in an SQL Command (\'SQL Injection\') vulnerability in Tura Signalix allows SQL Injection.This issue affects Signalix: 7T_0228. | -- | Sep 15, 2023 | n/a |
| CVE-2023-4829 | Cross-site Scripting (XSS) - Stored in GitHub repository froxlor/froxlor prior to 2.0.22. | -- | Oct 17, 2023 | n/a |
| CVE-2023-4828 | An improper check for an exceptional condition in the Insider Threat Management (ITM) Server could be used by an attacker to change the server\'s configuration of any already-registered agent so that the agent sends all future communications to an attacker-chosen URL. This could result in disclosure of sensitive data events from the agent about the personally identifiable information (PII) and intellectual property it monitors, and all such data could be altered or deleted before reaching the ITM Server. An attacker must first successfully obtain valid agent credentials and agent hostname. All versions prior to 7.14.3.69 are affected. | -- | Sep 13, 2023 | n/a |
| CVE-2023-4827 | The File Manager Pro WordPress plugin before 1.8 does not properly check the CSRF nonce in the `fs_connector` AJAX action. This allows attackers to make highly privileged users perform unwanted file system actions via CSRF attacks by using GET requests, such as uploading a web shell. | -- | Oct 16, 2023 | n/a |
| CVE-2023-4826 | The SocialDriver WordPress theme before version 2024 has a prototype pollution vulnerability that could allow an attacker to inject arbitrary properties resulting in a cross-site scripting (XSS) attack. | -- | Feb 23, 2024 | n/a |
| CVE-2023-4824 | The WooHoo Newspaper Magazine theme does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack | -- | Nov 24, 2023 | n/a |
| CVE-2023-4823 | The WP Meta and Date Remover WordPress plugin before 2.2.0 provides an AJAX endpoint for configuring the plugin settings. This endpoint has no capability checks and does not sanitize the user input, which is then later output unescaped. Allowing any authenticated users, such as subscriber change them and perform Stored Cross-Site Scripting. | -- | Oct 31, 2023 | n/a |
| CVE-2023-4822 | Grafana is an open-source platform for monitoring and observability. The vulnerability impacts Grafana instances with several organizations, and allows a user with Organization Admin permissions in one organization to change the permissions associated with Organization Viewer, Organization Editor and Organization Admin roles in all organizations. It also allows an Organization Admin to assign or revoke any permissions that they have to any user globally. This means that any Organization Admin can elevate their own permissions in any organization that they are already a member of, or elevate or restrict the permissions of any other user. The vulnerability does not allow a user to become a member of an organization that they are not already a member of, or to add any other users to an organization that the current user is not a member of. | -- | Oct 17, 2023 | n/a |
| CVE-2023-4821 | The Drag and Drop Multiple File Upload for WooCommerce WordPress plugin before 1.1.1 does not filter all potentially dangerous file extensions. Therefore, an attacker can upload unsafe .shtml or .svg files containing malicious scripts. | -- | Oct 17, 2023 | n/a |
| CVE-2023-4820 | The PowerPress Podcasting plugin by Blubrry WordPress plugin before 11.0.12 does not sanitize and escape the media url field in posts, which could allow users with privileges as low as contributor to inject arbitrary web scripts that could target a site admin or superadmin. | -- | Oct 17, 2023 | n/a |
| CVE-2023-4819 | The Shared Files WordPress plugin before 1.7.6 does not return the right Content-Type header for the specified uploaded file. Therefore, an attacker can upload an allowed file extension injected with malicious scripts. | -- | Oct 17, 2023 | n/a |
| CVE-2023-4818 | PAX A920 device allows to downgrade bootloader due to a bug in its version check. The signature is correctly checked and only bootloader signed by PAX can be used. The attacker must have physical USB access to the device in order to exploit this vulnerability. | -- | Jan 16, 2024 | n/a |
| CVE-2023-4817 | This vulnerability allows an authenticated attacker to upload malicious files by bypassing the restrictions of the upload functionality, compromising the entire device. | -- | Oct 5, 2023 | n/a |
| CVE-2023-4816 | A vulnerability exists in the Equipment Tag Out authentication, when configured with Single Sign-On (SSO) with password validation in T214. This vulnerability can be exploited by an authenticated user per-forming an Equipment Tag Out holder action (Accept, Release, and Clear) for another user and entering an arbitrary password in the holder action confirmation dialog box. Despite entering an arbitrary password in the confirmation box, the system will execute the selected holder action. | -- | Sep 11, 2023 | n/a |
| CVE-2023-4815 | Missing Authentication for Critical Function in GitHub repository answerdev/answer prior to v1.1.3. | -- | Sep 7, 2023 | n/a |
| CVE-2023-4814 | A Privilege escalation vulnerability exists in Trellix Windows DLP endpoint for windows which can be abused to delete any file/folder for which the user does not have permission to. | -- | Sep 14, 2023 | n/a |
