The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.
| ID | Description | Priority | Modified date | Fixed Release |
|---|---|---|---|---|
| CVE-2023-3080 | The WP Mail Catcher plugin for WordPress is vulnerable to Stored Cross-Site Scripting via an email subject in versions up to, and including, 2.1.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | -- | Jul 12, 2023 | n/a |
| CVE-2023-3079 | Type confusion in V8 in Google Chrome prior to 114.0.5735.110 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) | -- | Jun 6, 2023 | n/a |
| CVE-2023-3078 | An uncontrolled search path vulnerability was reported in the Lenovo Universal Device Client (UDC) that could allow an attacker with local access to execute code with elevated privileges. | -- | Aug 17, 2023 | n/a |
| CVE-2023-3077 | The MStore API WordPress plugin before 3.9.8 does not sanitise and escape a parameter before using it in a SQL statement, leading to a Blind SQL injection exploitable by unauthenticated users. This is only exploitable if the site owner elected to pay to get access to the plugins\' pro features, and uses the woocommerce-appointments plugin. | -- | Jul 10, 2023 | n/a |
| CVE-2023-3076 | The MStore API WordPress plugin before 3.9.9 does not prevent visitors from creating user accounts with the role of their choice via their wholesale REST API endpoint. This is only exploitable if the site owner paid to access the plugin\'s pro features. | -- | Jul 10, 2023 | n/a |
| CVE-2023-3075 | Cross-Site Request Forgery (CSRF) in GitHub repository tsolucio/corebos prior to 8. | -- | Jun 2, 2023 | n/a |
| CVE-2023-3074 | Cross-site Scripting (XSS) - Stored in GitHub repository tsolucio/corebos prior to 8. | -- | Jun 2, 2023 | n/a |
| CVE-2023-3073 | Cross-site Scripting (XSS) - Stored in GitHub repository tsolucio/corebos prior to 8 via evvtgendoc. | -- | Jun 2, 2023 | n/a |
| CVE-2023-3072 | HashiCorp Nomad and Nomad Enterprise 0.7.0 up to 1.5.6 and 1.4.10 ACL policies using a block without a label generates unexpected results. Fixed in 1.6.0, 1.5.7, and 1.4.11. | -- | Jul 20, 2023 | n/a |
| CVE-2023-3071 | Cross-site Scripting (XSS) - Stored in GitHub repository tsolucio/corebos prior to 8. | -- | Jun 2, 2023 | n/a |
| CVE-2023-3070 | Cross-site Scripting (XSS) - Stored in GitHub repository tsolucio/corebos prior to 8. | -- | Jun 2, 2023 | n/a |
| CVE-2023-3069 | Unverified Password Change in GitHub repository tsolucio/corebos prior to 8. | -- | Jun 2, 2023 | n/a |
| CVE-2023-3068 | A vulnerability classified as critical has been found in Campcodes Retro Cellphone Online Store 1.0. Affected is an unknown function of the file /admin/modal_add_product.php. The manipulation of the argument category leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-230580. | -- | Jun 2, 2023 | n/a |
| CVE-2023-3067 | Cross-site Scripting (XSS) - Stored in GitHub repository zadam/trilium prior to 0.59.4. | -- | Jun 2, 2023 | n/a |
| CVE-2023-3066 | Incorrect Authorization vulnerability in Mobatime mobile application AMXGT100 allows a low-privileged user to impersonate anyone else, including administratorsThis issue affects Mobatime mobile application AMXGT100: through 1.3.20. | -- | Jun 5, 2023 | n/a |
| CVE-2023-3065 | Improper Authentication vulnerability in Mobatime mobile application AMXGT100 allows Authentication Bypass.This issue affects Mobatime mobile application AMXGT100 through 1.3.20. | -- | Jun 5, 2023 | n/a |
| CVE-2023-3064 | Anonymous user may get the list of existing users managed by the application, that could ease further attacks (see CVE-2023-3065 and 3066)This issue affects Mobatime mobile application AMXGT100 through 1.3.20. | -- | Jun 5, 2023 | n/a |
| CVE-2023-3063 | The SP Project & Document Manager plugin for WordPress is vulnerable to Insecure Direct Object References in versions up to, and including, 4.67. This is due to the plugin providing user-controlled access to objects, letting a user bypass authorization and access system resources. This makes it possible for authenticated attackers with subscriber privileges or above, to change user passwords and potentially take over administrator accounts. | -- | Jun 30, 2023 | n/a |
| CVE-2023-3062 | A vulnerability was found in code-projects Agro-School Management System 1.0. It has been classified as critical. Affected is an unknown function of the file index.php. The manipulation of the argument password leads to sql injection. It is possible to launch the attack remotely. The identifier of this vulnerability is VDB-230568. | -- | Jun 2, 2023 | n/a |
| CVE-2023-3061 | A vulnerability was found in code-projects Agro-School Management System 1.0 and classified as critical. This issue affects some unknown processing of the file btn_functions.php of the component Attachment Image Handler. The manipulation leads to unrestricted upload. The attack may be initiated remotely. The associated identifier of this vulnerability is VDB-230567. | -- | Jun 2, 2023 | n/a |
| CVE-2023-3060 | A vulnerability has been found in code-projects Agro-School Management System 1.0 and classified as problematic. This vulnerability affects the function doAddQuestion of the file btn_functions.php. The manipulation of the argument Question leads to cross site scripting. The attack can be initiated remotely. VDB-230566 is the identifier assigned to this vulnerability. | -- | Jun 2, 2023 | n/a |
| CVE-2023-3059 | A vulnerability, which was classified as critical, was found in SourceCodester Online Exam Form Submission 1.0. This affects an unknown part of the file /admin/update_s6.php. The manipulation of the argument id leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-230565 was assigned to this vulnerability. | -- | Jun 2, 2023 | n/a |
| CVE-2023-3058 | A vulnerability was found in 07FLY CRM up to 1.2.0. It has been declared as problematic. This vulnerability affects unknown code of the component User Profile Handler. The manipulation leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-230560. | -- | Jun 2, 2023 | n/a |
| CVE-2023-3057 | A vulnerability was found in YFCMF up to 3.0.4. It has been rated as problematic. This issue affects some unknown processing of the file app/admin/controller/Ajax.php. The manipulation of the argument controllername leads to path traversal: \'../filedir\'. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-230543. | -- | Jun 2, 2023 | n/a |
| CVE-2023-3056 | A vulnerability was found in YFCMF up to 3.0.4. It has been declared as problematic. This vulnerability affects unknown code of the file index.php. The manipulation leads to path traversal: \'../filedir\'. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-230542 is the identifier assigned to this vulnerability. | -- | Jun 2, 2023 | n/a |
| CVE-2023-3055 | The Page Builder by AZEXO plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.27.133. This is due to missing or incorrect nonce validation on the \'azh_save\' function. This makes it possible for unauthenticated attackers to update the post content and inject malicious JavaScript via a forged request, granted they can trick a site administrator into performing an action such as clicking on a link. | -- | Jun 5, 2023 | n/a |
| CVE-2023-3053 | The Page Builder by AZEXO plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the \'azh_add_post\' function in versions up to, and including, 1.27.133. This makes it possible for authenticated attackers to create a post with any post type and post status. | -- | Jun 5, 2023 | n/a |
| CVE-2023-3052 | The Page Builder by AZEXO plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.27.133. This is due to missing or incorrect nonce validation on the \'azh_add_post\', \'azh_duplicate_post\', \'azh_update_post\' and \'azh_remove_post\' functions. This makes it possible for unauthenticated attackers to create, modify, and delete a post via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | -- | Jun 5, 2023 | n/a |
| CVE-2023-3051 | The Page Builder by AZEXO plugin for WordPress is vulnerable to Stored Cross-Site Scripting via \'azh_post\' shortcode in versions up to, and including, 1.27.133 due to insufficient input sanitization and output escaping. This makes it possible for contributor-level attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | -- | Jun 5, 2023 | n/a |
| CVE-2023-3050 | Reliance on Cookies without Validation and Integrity Checking in a Security Decision vulnerability in TMT Lockcell allows Privilege Abuse, Authentication Bypass.This issue affects Lockcell: before 15. | -- | Jun 13, 2023 | n/a |
| CVE-2023-3049 | Unrestricted Upload of File with Dangerous Type vulnerability in TMT Lockcell allows Command Injection.This issue affects Lockcell: before 15. | -- | Jun 13, 2023 | n/a |
| CVE-2023-3048 | Authorization Bypass Through User-Controlled Key vulnerability in TMT Lockcell allows Authentication Abuse, Authentication Bypass.This issue affects Lockcell: before 15. | -- | Jun 13, 2023 | n/a |
| CVE-2023-3047 | Improper Neutralization of Special Elements used in an SQL Command (\'SQL Injection\') vulnerability in TMT Lockcell allows SQL Injection.This issue affects Lockcell: before 15. | -- | Jun 13, 2023 | n/a |
| CVE-2023-3046 | Improper Neutralization of Special Elements used in an SQL Command (\'SQL Injection\') vulnerability in Biltay Technology Scienta allows SQL Injection.This issue affects Scienta: before 20230630.1953. | -- | Jul 25, 2023 | n/a |
| CVE-2023-3045 | Improper Neutralization of Special Elements used in an SQL Command (\'SQL Injection\') vulnerability in Tise Technology Parking Web Report allows SQL Injection.This issue affects Parking Web Report: before 2.1. | -- | Jul 10, 2023 | n/a |
| CVE-2023-3044 | An excessively large PDF page size (found in fuzz testing, unlikely in normal PDF files) can result in a divide-by-zero in Xpdf\'s text extraction code. This is related to CVE-2022-30524, but the problem here is caused by a very large page size, rather than by a very large character coordinate. | -- | Jun 5, 2023 | n/a |
| CVE-2023-3043 | AMI’s SPx contains a vulnerability in the BMC where an Attacker may cause a stack-based buffer overflow via an adjacent network. A successful exploitation of this vulnerability may lead to a loss of confidentiality, integrity, and/or availability. | -- | Jan 10, 2024 | n/a |
| CVE-2023-3042 | In dotCMS, versions mentioned, a flaw in the NormalizationFilter does not strip double slashes (//) from URLs, potentially enabling bypasses for XSS and access controls. An example affected URL is https://demo.dotcms.com//html/portlet/ext/files/edit_text_inc.jsp https://demo.dotcms.com//html/portlet/ext/files/edit_text_inc.jsp , which should return a 404 response but didn\'t. The oversight in the default invalid URL character list can be viewed at the provided GitHub link https://github.com/dotCMS/core/blob/master/dotCMS/src/main/java/com/dotcms/filters/NormalizationFilter.java#L37 . To mitigate, users can block URLs with double slashes at firewalls or utilize dotCMS config variables. Specifically, they can use the DOT_URI_NORMALIZATION_FORBIDDEN_STRINGS environmental variable to add // to the list of invalid strings. Additionally, the DOT_URI_NORMALIZATION_FORBIDDEN_REGEX variable offers more detailed control, for instance, to block //html.* URLs. Fix Version:23.06+, LTS 22.03.7+, LTS 23.01.4+ | -- | Oct 18, 2023 | n/a |
| CVE-2023-3041 | The Autochat Automatic Conversation WordPress plugin through 1.1.7 does not sanitise and escape user input before outputting it back on the page, leading to a cross-site Scripting attack. | -- | Jul 17, 2023 | n/a |
| CVE-2023-3040 | A debug function in the lua-resty-json package, up to commit id 3ef9492bd3a44d9e51301d6adc3cd1789c8f534a (merged in PR #14) contained an out of bounds access bug that could have allowed an attacker to launch a DoS if the function was used to parse untrusted input data. It is important to note that because this debug function was only used in tests and demos, it was not exploitable in a normal environment. | -- | Jun 14, 2023 | n/a |
| CVE-2023-3039 | SD ROM Utility, versions prior to 1.0.2.0 contain an Improper Access Control vulnerability. A low-privileged malicious user may potentially exploit this vulnerability to perform arbitrary code execution with limited access. | -- | Sep 12, 2023 | n/a |
| CVE-2023-3038 | SQL injection vulnerability in HelpDezk Community affecting version 1.1.10. This vulnerability could allow a remote attacker to send a specially crafted SQL query to the rows parameter of the jsonGrid route and extract all the information stored in the application. | -- | Oct 5, 2023 | n/a |
| CVE-2023-3037 | Improper authorization vulnerability in HelpDezk Community affecting version 1.1.10. This vulnerability could allow a remote attacker to access the platform without authentication and retrieve personal data via the jsonGrid parameter. | -- | Oct 5, 2023 | n/a |
| CVE-2023-3036 | An unchecked read in NTP server in github.com/cloudflare/cfnts prior to commit 783490b https://github.com/cloudflare/cfnts/commit/783490b913f05e508a492cd7b02e3c4ec2297b71 enabled a remote attacker to trigger a panic by sending an NTSAuthenticator packet with extension length longer than the packet contents. | -- | Jun 14, 2023 | n/a |
| CVE-2023-3035 | A vulnerability has been found in Guangdong Pythagorean OA Office System up to 4.50.31 and classified as problematic. Affected by this vulnerability is an unknown functionality of the component Schedule Handler. The manipulation of the argument description leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-230467. | -- | Jun 1, 2023 | n/a |
| CVE-2023-3034 | Reflected XSS affects the ‘mode’ parameter in the /admin functionality of the web application in versions <=2.0.44 | -- | Jun 28, 2023 | n/a |
| CVE-2023-3033 | Incorrect Authorization vulnerability in Mobatime web application allows Privilege Escalation, Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Mobatime web application: through 06.7.22. | -- | Jun 2, 2023 | n/a |
| CVE-2023-3032 | Unrestricted Upload of File with Dangerous Type vulnerability in Mobatime web application (Documentary proof upload modules) allows a malicious user to Upload a Web Shell to a Web Server.This issue affects Mobatime web application: through 06.7.22. | -- | Jun 2, 2023 | n/a |
| CVE-2023-3031 | Improper Limitation of a Pathname leads to a Path Traversal vulnerability in the module King-Avis for Prestashop, allowing a user knowing the download token to read arbitrary local files.This issue affects King-Avis: before 17.3.15. | -- | Jun 2, 2023 | n/a |
| CVE-2023-3029 | A vulnerability has been found in Guangdong Pythagorean OA Office System up to 4.50.31 and classified as problematic. This vulnerability affects unknown code of the file /note/index/delete. The manipulation of the argument id leads to cross-site request forgery. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-230458 is the identifier assigned to this vulnerability. | -- | Jun 1, 2023 | n/a |
