The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.
| ID | Description | Priority | Modified date |
|---|---|---|---|
| CVE-2023-42362 | An arbitrary file upload vulnerability in Teller Web App v.4.4.0 allows a remote attacker to execute arbitrary commands and obtain sensitive information via uploading a crafted file. | -- | Sep 15, 2023 |
| CVE-2023-42359 | SQL injection vulnerability in Exam Form Submission in PHP with Source Code v.1.0 allows a remote attacker to escalate privileges via the val-username parameter in /index.php. | -- | Sep 19, 2023 |
| CVE-2023-42336 | An issue in NETIS SYSTEMS WF2409Ev4 v.1.0.1.705 allows a remote attacker to execute arbitrary code and obtain sensitive information via the password parameter in the /etc/shadow.sample component. | -- | Sep 17, 2023 |
| CVE-2023-42335 | Unrestricted File Upload vulnerability in Fl3xx Dispatch 2.10.37 and fl3xx Crew 2.10.37 allows a remote attacker to execute arbitrary code via the add attachment function in the New Expense component. | -- | Sep 20, 2023 |
| CVE-2023-42334 | An Indirect Object Reference (IDOR) in Fl3xx Dispatch 2.10.37 and fl3xx Crew 2.10.37 allows a remote attacker to escalate privileges via the user parameter. | -- | Sep 20, 2023 |
| CVE-2023-42331 | A file upload vulnerability in EliteCMS 1.01 allows a remote attacker to execute arbitrary code via the manage_uploads.php component. | -- | Sep 20, 2023 |
| CVE-2023-42328 | An issue in PeppermintLabs Peppermint v.0.2.4 and before allows a remote attacker to obtain sensitive information and execute arbitrary code via the hardcoded session cookie. | -- | Sep 18, 2023 |
| CVE-2023-42322 | Insecure Permissions vulnerability in icmsdev iCMS v.7.0.16 allows a remote attacker to obtain sensitive information. | -- | Sep 20, 2023 |
| CVE-2023-42321 | Cross Site Request Forgery (CSRF) vulnerability in icmsdev iCMSv.7.0.16 allows a remote attacker to execute arbitrary code via the user.admincp.php, members.admincp.php, and group.admincp.php files. | -- | Sep 20, 2023 |
| CVE-2023-42320 | Buffer Overflow vulnerability in Tenda AC10V4 v.US_AC10V4.0si_V16.03.10.13_cn_TDC01 allows a remote attacker to cause a denial of service via the mac parameter in the GetParentControlInfo function. | -- | Sep 18, 2023 |
| CVE-2023-42280 | mee-admin 1.5 is vulnerable to Directory Traversal. The download method in the CommonFileController.java file does not verify the incoming data, resulting in arbitrary file reading. | -- | Sep 22, 2023 |
| CVE-2023-42279 | Dreamer CMS 4.1.3 is vulnerable to SQL Injection. | -- | Sep 22, 2023 |
| CVE-2023-42278 | hutool v5.8.21 was discovered to contain a buffer overflow via the component JSONUtil.parse(). | -- | Sep 13, 2023 |
| CVE-2023-42277 | hutool v5.8.21 was discovered to contain a buffer overflow via the component jsonObject.putByPath. | -- | Sep 13, 2023 |
| CVE-2023-42276 | hutool v5.8.21 was discovered to contain a buffer overflow via the component jsonArray. | -- | Sep 13, 2023 |
| CVE-2023-42270 | Grocy <= 4.0.2 is vulnerable to Cross Site Request Forgery (CSRF). | -- | Sep 15, 2023 |
| CVE-2023-42268 | Jeecg boot up to v3.5.3 was discovered to contain a SQL injection vulnerability via the component /jeecg-boot/jmreport/show. | -- | Sep 12, 2023 |
| CVE-2023-42261 | ** DISPUTED ** Mobile Security Framework (MobSF) <=v3.7.8 Beta is vulnerable to Insecure Permissions. NOTE: the vendor\'s position is that authentication is intentionally not implemented because the product is not intended for an untrusted network environment. Use cases requiring authentication could, for example, use a reverse proxy server. | -- | Sep 22, 2023 |
| CVE-2023-42253 | Code-Projects Vehicle Management 1.0 is vulnerable to Cross Site Scripting (XSS) in Add Accounts via Invoice No, To, and Mammul. | -- | Sep 19, 2023 |
| CVE-2023-42180 | An arbitrary file upload vulnerability in the /user/upload component of lenosp 1.0-1.2.0 allows attackers to execute html code via a crafted JPG file. | -- | Sep 14, 2023 |
| CVE-2023-42178 | Lenosp 1.0.0-1.2.0 is vulnerable to SQL Injection via the log query module. | -- | Sep 14, 2023 |
| CVE-2023-42147 | An issue in CloudExplorer Lite 1.3.1 allows an attacker to obtain sensitive information via the login key component. | -- | Sep 20, 2023 |
| CVE-2023-41993 | The issue was addressed with improved checks. This issue is fixed in iOS 16.7 and iPadOS 16.7, iOS 17.0.1 and iPadOS 17.0.1, Safari 16.6.1. Processing web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited against versions of iOS before iOS 16.7. | -- | Sep 22, 2023 |
| CVE-2023-41992 | The issue was addressed with improved checks. This issue is fixed in iOS 16.7 and iPadOS 16.7, OS 17.0.1 and iPadOS 17.0.1, watchOS 9.6.3, macOS Ventura 13.6, macOS Monterey 12.7, watchOS 10.0.1. A local attacker may be able to elevate their privileges. Apple is aware of a report that this issue may have been actively exploited against versions of iOS before iOS 16.7. | -- | Sep 22, 2023 |
| CVE-2023-41991 | A certificate validation issue was addressed. This issue is fixed in iOS 16.7 and iPadOS 16.7, OS 17.0.1 and iPadOS 17.0.1, watchOS 9.6.3, macOS Ventura 13.6, watchOS 10.0.1. A malicious app may be able to bypass signature validation. Apple is aware of a report that this issue may have been actively exploited against versions of iOS before iOS 16.7. | -- | Sep 22, 2023 |
| CVE-2023-41990 | The issue was addressed with improved handling of caches. This issue is fixed in tvOS 16.3, iOS 16.3 and iPadOS 16.3, macOS Monterey 12.6.8, macOS Big Sur 11.7.9, iOS 15.7.8 and iPadOS 15.7.8, macOS Ventura 13.2, watchOS 9.3. Processing a font file may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited against versions of iOS released before iOS 15.7.1. | -- | Sep 12, 2023 |
| CVE-2023-41965 | ** UNSUPPPORTED WHEN ASSIGNED ** Sending some requests in the web application of the vulnerable device allows information to be obtained due to the lack of security in the authentication process. | -- | Sep 19, 2023 |
| CVE-2023-41949 | Auth. (admin+) Cross-Site Scripting (XSS) vulnerability in Avirtum iFolders plugin <= 1.5.0 versions. | -- | Sep 26, 2023 |
| CVE-2023-41948 | Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Christoph Rado Cookie Notice & Consent plugin <= 1.6.0 versions. | -- | Sep 26, 2023 |
| CVE-2023-41947 | A missing permission check in Jenkins Frugal Testing Plugin 1.1 and earlier allows attackers with Overall/Read permission to connect to Frugal Testing using attacker-specified credentials. | -- | Sep 7, 2023 |
| CVE-2023-41946 | A cross-site request forgery (CSRF) vulnerability in Jenkins Frugal Testing Plugin 1.1 and earlier allows attackers to connect to Frugal Testing using attacker-specified credentials, and to retrieve test IDs and names from Frugal Testing, if a valid credential corresponds to the attacker-specified username. | -- | Sep 7, 2023 |
| CVE-2023-41945 | Jenkins Assembla Auth Plugin 1.14 and earlier does not verify that the permissions it grants are enabled, resulting in users with EDIT permissions to be granted Overall/Manage and Overall/SystemRead permissions, even if those permissions are disabled and should not be granted. | -- | Sep 7, 2023 |
| CVE-2023-41944 | Jenkins AWS CodeCommit Trigger Plugin 3.0.12 and earlier does not escape the queue name parameter passed to a form validation URL, when rendering an error message, resulting in an HTML injection vulnerability. | -- | Sep 7, 2023 |
| CVE-2023-41943 | Jenkins AWS CodeCommit Trigger Plugin 3.0.12 and earlier does not perform a permission check in an HTTP endpoint, allowing attackers with Overall/Read permission to clear the SQS queue. | -- | Sep 7, 2023 |
| CVE-2023-41942 | A cross-site request forgery (CSRF) vulnerability in Jenkins AWS CodeCommit Trigger Plugin 3.0.12 and earlier allows attackers to clear the SQS queue. | -- | Sep 7, 2023 |
| CVE-2023-41941 | A missing permission check in Jenkins AWS CodeCommit Trigger Plugin 3.0.12 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of AWS credentials stored in Jenkins. | -- | Sep 7, 2023 |
| CVE-2023-41940 | Jenkins TAP Plugin 2.3 and earlier does not escape TAP file contents, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control TAP file contents. | -- | Sep 7, 2023 |
| CVE-2023-41939 | Jenkins SSH2 Easy Plugin 1.4 and earlier does not verify that permissions configured to be granted are enabled, potentially allowing users formerly granted (typically optional permissions, like Overall/Manage) to access functionality they\'re no longer entitled to. | -- | Sep 7, 2023 |
| CVE-2023-41938 | A cross-site request forgery (CSRF) vulnerability in Jenkins Ivy Plugin 2.5 and earlier allows attackers to delete disabled modules. | -- | Sep 7, 2023 |
| CVE-2023-41937 | Jenkins Bitbucket Push and Pull Request Plugin 2.4.0 through 2.8.3 (both inclusive) trusts values provided in the webhook payload, including certain URLs, and uses configured Bitbucket credentials to connect to those URLs, allowing attackers to capture Bitbucket credentials stored in Jenkins by sending a crafted webhook payload. | -- | Sep 7, 2023 |
| CVE-2023-41936 | Jenkins Google Login Plugin 1.7 and earlier uses a non-constant time comparison function when checking whether the provided and expected token are equal, potentially allowing attackers to use statistical methods to obtain a valid token. | -- | Sep 7, 2023 |
| CVE-2023-41935 | Jenkins Azure AD Plugin 396.v86ce29279947 and earlier, except 378.380.v545b_1154b_3fb_, uses a non-constant time comparison function when checking whether the provided and expected CSRF protection nonce are equal, potentially allowing attackers to use statistical methods to obtain a valid nonce. | -- | Sep 7, 2023 |
| CVE-2023-41934 | Jenkins Pipeline Maven Integration Plugin 1330.v18e473854496 and earlier does not properly mask (i.e., replace with asterisks) usernames of credentials specified in custom Maven settings in Pipeline build logs if Treat username as secret is checked. | -- | Sep 7, 2023 |
| CVE-2023-41933 | Jenkins Job Configuration History Plugin 1227.v7a_79fc4dc01f and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. | -- | Sep 7, 2023 |
| CVE-2023-41932 | Jenkins Job Configuration History Plugin 1227.v7a_79fc4dc01f and earlier does not restrict \'timestamp\' query parameters in multiple endpoints, allowing attackers with to delete attacker-specified directories on the Jenkins controller file system as long as they contain a file called \'history.xml\'. | -- | Sep 7, 2023 |
| CVE-2023-41931 | Jenkins Job Configuration History Plugin 1227.v7a_79fc4dc01f and earlier does not property sanitize or escape the timestamp value from history entries when rendering a history entry on the history view, resulting in a stored cross-site scripting (XSS) vulnerability. | -- | Sep 7, 2023 |
| CVE-2023-41930 | Jenkins Job Configuration History Plugin 1227.v7a_79fc4dc01f and earlier does not restrict the \'name\' query parameter when rendering a history entry, allowing attackers to have Jenkins render a manipulated configuration history that was not created by the plugin. | -- | Sep 7, 2023 |
| CVE-2023-41929 | A DLL hijacking vulnerability in Samsung Memory Card & UFD Authentication Utility PC Software before 1.0.1 could allow a local attacker to escalate privileges. (An attacker must already have user privileges on Windows to exploit this vulnerability.) | -- | Sep 18, 2023 |
| CVE-2023-41915 | OpenPMIx PMIx before 4.2.6 and 5.0.x before 5.0.1 allows attackers to obtain ownership of arbitrary files via a race condition during execution of library code with UID 0. | -- | Sep 10, 2023 |
| CVE-2023-41910 | An issue was discovered in lldpd before 1.0.17. By crafting a CDP PDU packet with specific CDP_TLV_ADDRESSES TLVs, a malicious actor can remotely force the lldpd daemon to perform an out-of-bounds read on heap memory. This occurs in cdp_decode in daemon/protocols/cdp.c. | -- | Sep 5, 2023 |
