The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.
| ID | Description | Priority | Modified date | Fixed Release |
|---|---|---|---|---|
| CVE-2023-2975 | Issue summary: The AES-SIV cipher implementation contains a bug that causes it to ignore empty associated data entries which are unauthenticated as a consequence. Impact summary: Applications that use the AES-SIV algorithm and want to authenticate empty data entries as associated data can be mislead by removing adding or reordering such empty entries as these are ignored by the OpenSSL implementation. We are currently unaware of any such applications. The AES-SIV algorithm allows for authentication of multiple associated data entries along with the encryption. To authenticate empty data the application has to call EVP_EncryptUpdate() (or EVP_CipherUpdate()) with NULL pointer as the output buffer and 0 as the input buffer length. The AES-SIV implementation in OpenSSL just returns success for such a call instead of performing the associated data authentication operation. The empty data thus will not be authenticated. As this issue does not affect non-empty associated data authentication and we expect it to be rare for an application to use empty associated data entries this is qualified as Low severity issue. | LOW | Jul 14, 2023 | 24.03 (VxWorks 7) |
| CVE-2023-2974 | A vulnerability was found in quarkus-core. This vulnerability occurs because the TLS protocol configured with quarkus.http.ssl.protocols is not enforced, and the client can force the selection of the weaker supported TLS protocol. | -- | Jul 11, 2023 | n/a |
| CVE-2023-2973 | A vulnerability, which was classified as problematic, has been found in SourceCodester Students Online Internship Timesheet Syste 1.0. Affected by this issue is some unknown functionality of the file /ajax.php?action=save_company. The manipulation of the argument name with the input <script>alert(document.cookie)</script> leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-230204. | -- | May 30, 2023 | n/a |
| CVE-2023-2972 | Prototype Pollution in GitHub repository antfu/utils prior to 0.7.3. | -- | May 30, 2023 | n/a |
| CVE-2023-2971 | Improper path handling in Typora before 1.7.0-dev on Windows and Linux allows a crafted webpage to access local files and exfiltrate them to remote web servers via typora://app/typemark/. This vulnerability can be exploited if a user opens a malicious markdown file in Typora, or copies text from a malicious webpage and paste it into Typora. | -- | Aug 20, 2023 | n/a |
| CVE-2023-2970 | A vulnerability classified as problematic was found in MindSpore 2.0.0-alpha/2.0.0-rc1. This vulnerability affects the function JsonHelper::UpdateArray of the file mindspore/ccsrc/minddata/dataset/util/json_helper.cc. The manipulation leads to memory corruption. The name of the patch is 30f4729ea2c01e1ed437ba92a81e2fc098d608a9. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-230176. | -- | May 30, 2023 | n/a |
| CVE-2023-2968 | A remote attacker can trigger a denial of service in the socket.remoteAddress variable, by sending a crafted HTTP request. Usage of the undefined variable raises a TypeError exception. | -- | May 30, 2023 | n/a |
| CVE-2023-2967 | The TinyMCE Custom Styles WordPress plugin before 1.1.4 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | -- | Jul 10, 2023 | n/a |
| CVE-2023-2964 | The Simple Iframe WordPress plugin before 1.2.0 does not properly validate one of its WordPress block attribute\'s content, which may allow users whose role is at least that of a contributor to conduct Stored Cross-Site Scripting attacks. | -- | Jul 10, 2023 | n/a |
| CVE-2023-2963 | Improper Neutralization of Special Elements used in an SQL Command (\'SQL Injection\') vulnerability in Oliva Expertise Oliva Expertise EKS allows SQL Injection.This issue affects Oliva Expertise EKS: before 1.2. | -- | Jul 17, 2023 | n/a |
| CVE-2023-2962 | A vulnerability, which was classified as critical, has been found in SourceCodester Faculty Evaluation System 1.0. Affected by this issue is some unknown functionality of the file index.php?page=edit_user. The manipulation of the argument id leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-230150 is the identifier assigned to this vulnerability. | -- | May 30, 2023 | n/a |
| CVE-2023-2961 | A segmentation fault flaw was found in the Advancecomp package. This may lead to decreased availability. | -- | Jun 7, 2023 | n/a |
| CVE-2023-2960 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in Oliva Expertise Oliva Expertise EKS allows Cross-Site Scripting (XSS).This issue affects Oliva Expertise EKS: before 1.2. | -- | Jul 17, 2023 | n/a |
| CVE-2023-2959 | Authentication Bypass by Primary Weakness vulnerability in Oliva Expertise Oliva Expertise EKS allows Collect Data as Provided by Users.This issue affects Oliva Expertise EKS: before 1.2. | -- | Jul 17, 2023 | n/a |
| CVE-2023-2958 | Authorization Bypass Through User-Controlled Key vulnerability in Origin Software ATS Pro allows Authentication Abuse, Authentication Bypass.This issue affects ATS Pro: before 20230714. | -- | Jul 17, 2023 | n/a |
| CVE-2023-2957 | Improper Neutralization of Special Elements used in an SQL Command (\'SQL Injection\') vulnerability in Lisa Software Florist Site allows SQL Injection.This issue affects Florist Site: before 3.0. | -- | Jul 13, 2023 | n/a |
| CVE-2023-2955 | A vulnerability, which was classified as critical, was found in SourceCodester Students Online Internship Timesheet System 1.0. Affected is an unknown function of the file rendered_report.php of the component GET Parameter Handler. The manipulation of the argument sid leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-230142 is the identifier assigned to this vulnerability. | -- | May 30, 2023 | n/a |
| CVE-2023-2954 | Cross-site Scripting (XSS) - Stored in GitHub repository liangliangyy/djangoblog prior to master. | -- | May 30, 2023 | n/a |
| CVE-2023-2953 | A vulnerability was found in openldap. This security flaw causes a null pointer dereference in ber_memalloc_x() function. | LOW | May 30, 2023 | n/a |
| CVE-2023-2952 | XRA dissector infinite loop in Wireshark 4.0.0 to 4.0.5 and 3.6.0 to 3.6.13 allows denial of service via packet injection or crafted capture file | -- | May 30, 2023 | n/a |
| CVE-2023-2951 | A vulnerability classified as critical has been found in code-projects Bus Dispatch and Information System 1.0. Affected is an unknown function of the file delete_bus.php. The manipulation of the argument busid leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-230112. | -- | May 28, 2023 | n/a |
| CVE-2023-2950 | Improper Authorization in GitHub repository openemr/openemr prior to 7.0.1. | -- | May 28, 2023 | n/a |
| CVE-2023-2949 | Cross-site Scripting (XSS) - Reflected in GitHub repository openemr/openemr prior to 7.0.1. | -- | May 28, 2023 | n/a |
| CVE-2023-2948 | Cross-site Scripting (XSS) - Generic in GitHub repository openemr/openemr prior to 7.0.1. | -- | May 28, 2023 | n/a |
| CVE-2023-2947 | Cross-site Scripting (XSS) - Stored in GitHub repository openemr/openemr prior to 7.0.1. | -- | May 28, 2023 | n/a |
| CVE-2023-2946 | Improper Access Control in GitHub repository openemr/openemr prior to 7.0.1. | -- | May 28, 2023 | n/a |
| CVE-2023-2945 | Missing Authorization in GitHub repository openemr/openemr prior to 7.0.1. | -- | May 28, 2023 | n/a |
| CVE-2023-2944 | Improper Access Control in GitHub repository openemr/openemr prior to 7.0.1. | -- | May 28, 2023 | n/a |
| CVE-2023-2943 | Code Injection in GitHub repository openemr/openemr prior to 7.0.1. | -- | May 28, 2023 | n/a |
| CVE-2023-2942 | Improper Input Validation in GitHub repository openemr/openemr prior to 7.0.1. | -- | May 28, 2023 | n/a |
| CVE-2023-2941 | Inappropriate implementation in Extensions API in Google Chrome prior to 114.0.5735.90 allowed an attacker who convinced a user to install a malicious extension to spoof the contents of the UI via a crafted Chrome Extension. (Chromium security severity: Low) | -- | May 30, 2023 | n/a |
| CVE-2023-2940 | Inappropriate implementation in Downloads in Google Chrome prior to 114.0.5735.90 allowed an attacker who convinced a user to install a malicious extension to bypass file access restrictions via a crafted HTML page. (Chromium security severity: Medium) | -- | May 30, 2023 | n/a |
| CVE-2023-2939 | Insufficient data validation in Installer in Google Chrome on Windows prior to 114.0.5735.90 allowed a local attacker to perform privilege escalation via crafted symbolic link. (Chromium security severity: Medium) | -- | May 30, 2023 | n/a |
| CVE-2023-2938 | Inappropriate implementation in Picture In Picture in Google Chrome prior to 114.0.5735.90 allowed a remote attacker who had compromised the renderer process to spoof the contents of the Omnibox (URL bar) via a crafted HTML page. (Chromium security severity: Medium) | -- | May 30, 2023 | n/a |
| CVE-2023-2937 | Inappropriate implementation in Picture In Picture in Google Chrome prior to 114.0.5735.90 allowed a remote attacker who had compromised the renderer process to spoof the contents of the Omnibox (URL bar) via a crafted HTML page. (Chromium security severity: Medium) | -- | May 30, 2023 | n/a |
| CVE-2023-2936 | Type Confusion in V8 in Google Chrome prior to 114.0.5735.90 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) | -- | May 30, 2023 | n/a |
| CVE-2023-2935 | Type Confusion in V8 in Google Chrome prior to 114.0.5735.90 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) | -- | May 30, 2023 | n/a |
| CVE-2023-2934 | Out of bounds memory access in Mojo in Google Chrome prior to 114.0.5735.90 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) | -- | May 30, 2023 | n/a |
| CVE-2023-2933 | Use after free in PDF in Google Chrome prior to 114.0.5735.90 allowed a remote attacker to potentially exploit heap corruption via a crafted PDF file. (Chromium security severity: High) | -- | May 30, 2023 | n/a |
| CVE-2023-2932 | Use after free in PDF in Google Chrome prior to 114.0.5735.90 allowed a remote attacker to potentially exploit heap corruption via a crafted PDF file. (Chromium security severity: High) | -- | May 30, 2023 | n/a |
| CVE-2023-2931 | Use after free in PDF in Google Chrome prior to 114.0.5735.90 allowed a remote attacker to potentially exploit heap corruption via a crafted PDF file. (Chromium security severity: High) | -- | May 30, 2023 | n/a |
| CVE-2023-2930 | Use after free in Extensions in Google Chrome prior to 114.0.5735.90 allowed an attacker who convinced a user to install a malicious extension to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) | -- | May 30, 2023 | n/a |
| CVE-2023-2929 | Out of bounds write in Swiftshader in Google Chrome prior to 114.0.5735.90 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) | -- | May 30, 2023 | n/a |
| CVE-2023-2928 | A vulnerability was found in DedeCMS up to 5.7.106. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file uploads/dede/article_allowurl_edit.php. The manipulation of the argument allurls leads to code injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-230083. | -- | May 28, 2023 | n/a |
| CVE-2023-2927 | A vulnerability was found in JIZHICMS 2.4.5. It has been classified as critical. Affected is the function index of the file TemplateController.php. The manipulation of the argument webapi leads to server-side request forgery. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-230082 is the identifier assigned to this vulnerability. | -- | May 28, 2023 | n/a |
| CVE-2023-2926 | A vulnerability was found in SeaCMS 11.6 and classified as problematic. This issue affects some unknown processing of the file member.php of the component Picture Upload Handler. The manipulation of the argument oldpic leads to denial of service. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-230081 was assigned to this vulnerability. | -- | May 28, 2023 | n/a |
| CVE-2023-2925 | A vulnerability, which was classified as problematic, was found in Webkul krayin crm 1.2.4. This affects an unknown part of the file /admin/contacts/organizations/edit/2 of the component Edit Person Page. The manipulation of the argument Organization leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-230079. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | -- | May 28, 2023 | n/a |
| CVE-2023-2924 | A vulnerability, which was classified as critical, has been found in Supcon SimField up to 1.80.00.00. Affected by this issue is some unknown functionality of the file /admin/reportupload.aspx. The manipulation of the argument files[] leads to unrestricted upload. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-230078 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | -- | May 28, 2023 | n/a |
| CVE-2023-2923 | A vulnerability classified as critical was found in Tenda AC6 US_AC6V1.0BR_V15.03.05.19. Affected by this vulnerability is the function fromDhcpListClient. The manipulation leads to stack-based buffer overflow. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-230077 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | -- | May 28, 2023 | n/a |
| CVE-2023-2922 | A vulnerability classified as problematic has been found in SourceCodester Comment System 1.0. Affected is an unknown function of the file index.php of the component GET Parameter Handler. The manipulation of the argument msg leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-230076. | -- | May 28, 2023 | n/a |
