The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.
| ID | Description | Priority | Modified date |
|---|---|---|---|
| CVE-2023-23606 | Memory safety bugs fixed in Firefox 109 | -- | Jan 18, 2023 |
| CVE-2023-23605 | Memory safety bugs fixed in Firefox 109 and Firefox ESR 102.7 | -- | Jan 18, 2023 |
| CVE-2023-23604 | Creation of duplicate <code>SystemPrincipal</code> from less secure contexts | -- | Jan 18, 2023 |
| CVE-2023-23603 | Calls to <code>console.log</code> allowed bypasing Content Security Policy via format directive | -- | Jan 18, 2023 |
| CVE-2023-23602 | Content Security Policy wasnt being correctly applied to WebSockets in WebWorkers | -- | Jan 18, 2023 |
| CVE-2023-23601 | URL being dragged from cross-origin iframe into same tab triggers navigation | -- | Jan 18, 2023 |
| CVE-2023-23600 | Notification permissions persisted between Normal and Private Browsing on Android | -- | Jan 18, 2023 |
| CVE-2023-23599 | Malicious command could be hidden in devtools output on Windows | -- | Jan 18, 2023 |
| CVE-2023-23598 | Arbitrary file read from GTK drag and drop on Linux | -- | Jan 18, 2023 |
| CVE-2023-23597 | firefox: Logic bug in process allocation allowed to read arbitrary files | -- | Jan 18, 2023 |
| CVE-2023-23596 | jc21 NGINX Proxy Manager through 2.9.19 allows OS command injection. When creating an access list, the backend builds an htpasswd file with crafted username and/or password input that is concatenated without any validation, and is directly passed to the exec command, potentially allowing an authenticated attacker to execute arbitrary commands on the system. NOTE: this is not part of any NGINX software shipped by F5. | -- | Jan 20, 2023 |
| CVE-2023-23595 | BlueCat Device Registration Portal 2.2 allows XXE attacks that exfiltrate single-line files. A single-line file might contain credentials, such as machine example.com login daniel password qwerty in the documentation example for the .netrc file format. NOTE: 2.x versions are no longer supported. There is no available information about whether any later version is affected. | -- | Jan 15, 2023 |
| CVE-2023-23590 | Mercedes-Benz XENTRY Retail Data Storage 7.8.1 allows remote attackers to cause a denial of service (device restart) via an unauthenticated API request. The attacker must be on the same network as the device. | -- | Jan 15, 2023 |
| CVE-2023-23589 | The SafeSocks option in Tor before 0.4.7.13 has a logic error in which the unsafe SOCKS4 protocol can be used but not the safe SOCKS4a protocol, aka TROVE-2022-002. | -- | Jan 14, 2023 |
| CVE-2023-23566 | A 2-Step Verification problem in Axigen 10.3.3.52 allows an attacker to access a mailbox by bypassing 2-Step Verification when they try to add an account to any third-party webmail service (or add an account to Outlook or Gmail, etc.) with IMAP or POP3 without any verification code. | -- | Jan 13, 2023 |
| CVE-2023-23560 | In certain Lexmark products through 2023-01-12, SSRF can occur because of a lack of input validation. | -- | Jan 24, 2023 |
| CVE-2023-23559 | In rndis_query_oid in drivers/net/wireless/rndis_wlan.c in the Linux kernel through 6.1.5, there is an integer overflow in an addition. | -- | Jan 13, 2023 |
| CVE-2023-23492 | The Login with Phone Number WordPress Plugin, version < 1.4.2, is affected by an authenticated SQL injection vulnerability in the \'ID\' parameter of its \'lwp_forgot_password\' action. | -- | Jan 27, 2023 |
| CVE-2023-23491 | The Quick Event Manager WordPress Plugin, version < 9.7.5, is affected by a reflected cross-site scripting vulnerability in the \'category\' parameter of its \'qem_ajax_calendar\' action. | -- | Jan 26, 2023 |
| CVE-2023-23490 | The Survey Maker WordPress Plugin, version < 3.1.2, is affected by an authenticated SQL injection vulnerability in the \'surveys_ids\' parameter of its \'ays_surveys_export_json\' action. | -- | Jan 26, 2023 |
| CVE-2023-23489 | The Easy Digital Downloads WordPress Plugin, version < 3.1.0.4, is affected by an unauthenticated SQL injection vulnerability in the \'s\' parameter of its \'edd_download_search\' action. | -- | Jan 26, 2023 |
| CVE-2023-23488 | The Paid Memberships Pro WordPress Plugin, version < 2.9.8, is affected by an unauthenticated SQL injection vulnerability in the \'code\' parameter of the \'/pmpro/v1/order\' REST route. | -- | Jan 26, 2023 |
| CVE-2023-23457 | A Segmentation fault was found in UPX in PackLinuxElf64::invert_pt_dynamic() in p_lx_elf.cpp. An attacker with a crafted input file allows invalid memory address access that could lead to a denial of service. | -- | Jan 12, 2023 |
| CVE-2023-23456 | A heap-based buffer overflow issue was discovered in UPX in PackTmt::pack() in p_tmt.cpp file. The flow allows an attacker to cause a denial of service (abort) via a crafted file. | -- | Jan 12, 2023 |
| CVE-2023-23455 | atm_tc_enqueue in net/sched/sch_atm.c in the Linux kernel through 6.1.4 allows attackers to cause a denial of service because of type confusion (non-negative numbers can sometimes indicate a TC_ACT_SHOT condition rather than valid classification results). | -- | Jan 12, 2023 |
| CVE-2023-23454 | cbq_classify in net/sched/sch_cbq.c in the Linux kernel through 6.1.4 allows attackers to cause a denial of service (slab-out-of-bounds read) because of type confusion (non-negative numbers can sometimes indicate a TC_ACT_SHOT condition rather than valid classification results). | -- | Jan 12, 2023 |
| CVE-2023-23331 | Amano Xoffice parking solutions 7.1.3879 is vulnerable to SQL Injection. | -- | Jan 24, 2023 |
| CVE-2023-23314 | An arbitrary file upload vulnerability in the /api/upload component of zdir v3.2.0 allows attackers to execute arbitrary code via a crafted .ssh file. | -- | Jan 23, 2023 |
| CVE-2023-23151 | bloofoxCMS v0.5.2.1 was discovered to contain an arbitrary file deletion vulnerability via the component /include/inc_content_media.php. | -- | Jan 27, 2023 |
| CVE-2023-23145 | GPAC version 2.2-rev0-gab012bbfb-master was discovered to contain a memory leak in lsr_read_rare_full function. | -- | Jan 23, 2023 |
| CVE-2023-23144 | Integer overflow vulnerability in function Q_DecCoordOnUnitSphere file bifs/unquantize.c in GPAC version 2.2-rev0-gab012bbfb-master. | -- | Jan 23, 2023 |
| CVE-2023-23143 | Buffer overflow vulnerability in function avc_parse_slice in file media_tools/av_parsers.c. GPAC version 2.3-DEV-rev1-g4669ba229-master. | -- | Jan 23, 2023 |
| CVE-2023-23024 | Book Store Management System v1.0 was discovered to contain a cross-site scripting (XSS) vulnerability in /bsms_ci/index.php/book. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the writer parameter. | -- | Jan 26, 2023 |
| CVE-2023-23015 | Cross Site Scripting (XSS) vulnerability in Kalkun 0.8.0 via username input in file User_model.php. | -- | Jan 26, 2023 |
| CVE-2023-23014 | Cross Site Scripting (XSS) vulnerability in InventorySystem thru commit e08fbbe17902146313501ed0b5feba81d58f455c (on Apr 23, 2021) via edit_store_name and edit_active inputs in file InventorySystem.php. | -- | Jan 28, 2023 |
| CVE-2023-23012 | Cross Site Scripting (XSS) vulnerability in craigrodway classroombookings 2.6.4 allows attackers to execute arbitrary code or other unspecified impacts via the input bgcol in file Weeks.php. | -- | Jan 28, 2023 |
| CVE-2023-23010 | Cross Site Scripting (XSS) vulnerability in Ecommerce-CodeIgniter-Bootstrap thru commit d5904379ca55014c5df34c67deda982c73dc7fe5 (on Dec 27, 2022), allows attackers to execute arbitrary code via the languages and trans_load parameters in file add_product.php. | -- | Jan 28, 2023 |
| CVE-2023-22971 | Cross Site Scripting (XSS) vulnerability in Hughes Network Systems Router Terminal for HX200 v8.3.1.14, HX90 v6.11.0.5, HX50L v6.10.0.18, HN9460 v8.2.0.48, and HN7000S v6.9.0.37, allows unauthenticated attackers to misuse frames, include JS/HTML code and steal sensitive information from legitimate users of the application. | -- | Jan 27, 2023 |
| CVE-2023-22964 | Zoho ManageEngine ServiceDesk Plus MSP before 10611, and 13x before 13004, is vulnerable to authentication bypass when LDAP authentication is enabled. | -- | Jan 27, 2023 |
| CVE-2023-22963 | The personnummer implementation before 3.0.3 for Dart mishandles numbers in which the last four digits match the ^000[0-9]$ regular expression. | -- | Jan 11, 2023 |
| CVE-2023-22960 | Lexmark products through 2023-01-10 have Improper Control of Interaction Frequency. | -- | Jan 24, 2023 |
| CVE-2023-22959 | WebChess through 0.9.0 and 1.0.0.rc2 allows SQL injection: mainmenu.php, chess.php, and opponentspassword.php (txtFirstName, txtLastName). | -- | Jan 11, 2023 |
| CVE-2023-22958 | The Syracom Secure Login plugin before 3.1.1.0 for Jira may allow spoofing of 2FA PIN validation via the plugins/servlet/twofactor/public/pinvalidation target parameter. | -- | Jan 11, 2023 |
| CVE-2023-22952 | In SugarCRM before 12.0. Hotfix 91155, a crafted request can inject custom PHP code through the EmailTemplates because of missing input validation. | -- | Jan 11, 2023 |
| CVE-2023-22947 | ** DISPUTED ** Insecure folder permissions in the Windows installation path of Shibboleth Service Provider (SP) before 3.4.1 allow an unprivileged local attacker to escalate privileges to SYSTEM via DLL planting in the service executable\'s folder. This occurs because the installation goes under C:\\opt (rather than C:\\Program Files) by default. NOTE: the vendor disputes the significance of this report, stating that We consider the ACLs a best effort thing and it was a documentation mistake. | -- | Jan 11, 2023 |
| CVE-2023-22945 | In the GrowthExperiments extension for MediaWiki through 1.39, the growthmanagementorlist API allows blocked users (blocked in ApiManageMentorList) to enroll as mentors or edit any of their mentorship-related properties. | -- | Jan 11, 2023 |
| CVE-2023-22912 | An issue was discovered in MediaWiki before 1.35.9, 1.36.x through 1.38.x before 1.38.5, and 1.39.x before 1.39.1. CheckUser TokenManager insecurely uses AES-CTR encryption with a repeated (aka re-used) nonce, allowing an adversary to decrypt. | -- | Jan 26, 2023 |
| CVE-2023-22911 | An issue was discovered in MediaWiki before 1.35.9, 1.36.x through 1.38.x before 1.38.5, and 1.39.x before 1.39.1. E-Widgets does widget replacement in HTML attributes, which can lead to XSS, because widget authors often do not expect that their widget is executed in an HTML attribute context. | -- | Jan 13, 2023 |
| CVE-2023-22910 | An issue was discovered in MediaWiki before 1.35.9, 1.36.x through 1.38.x before 1.38.5, and 1.39.x before 1.39.1. There is XSS in Wikibase date formatting via wikibase-time-precision-* fields. This allows JavaScript execution by staff/admin users who do not intentionally have the editsitejs capability. | -- | Jan 26, 2023 |
| CVE-2023-22909 | An issue was discovered in MediaWiki before 1.35.9, 1.36.x through 1.38.x before 1.38.5, and 1.39.x before 1.39.1. SpecialMobileHistory allows remote attackers to cause a denial of service because database queries are slow. | -- | Jan 13, 2023 |
