The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.
| ID | Description | Priority | Modified date | Fixed Release |
|---|---|---|---|---|
| CVE-2023-30197 | Incorrect Access Control in the module My inventory (myinventory) <= 1.6.6 from Webbax for PrestaShop, allows a guest to download personal information without restriction by performing a path traversal attack. | -- | May 31, 2023 | n/a |
| CVE-2023-29745 | An issue found in BestWeather v.7.3.1 for Android allows unauthorized apps to cause a persistent denial of service attack by manipulating the database. | -- | May 31, 2023 | n/a |
| CVE-2023-29742 | An issue found in BestWeather v.7.3.1 for Android allows unauthorized apps to cause a code execution attack by manipulating the database. | -- | May 31, 2023 | n/a |
| CVE-2023-28353 | An issue was discovered in Faronics Insight 10.0.19045 on Windows. An unauthenticated attacker is able to upload any type of file to any location on the Teacher Console\'s computer, enabling a variety of different exploitation paths including code execution. It is also possible for the attacker to chain this vulnerability with others to cause a deployed DLL file to immediately execute as NT AUTHORITY/SYSTEM. | -- | May 31, 2023 | n/a |
| CVE-2023-28352 | An issue was discovered in Faronics Insight 10.0.19045 on Windows. By abusing the Insight UDP broadcast discovery system, an attacker-controlled artificial Student Console can connect to and attack a Teacher Console even after Enhanced Security Mode has been enabled. | -- | May 31, 2023 | n/a |
| CVE-2023-28351 | An issue was discovered in Faronics Insight 10.0.19045 on Windows. Every keystroke made by any user on a computer with the Student application installed is logged to a world-readable directory. A local attacker can trivially extract these cleartext keystrokes, potentially enabling them to obtain PII and/or to compromise personal accounts owned by the victim. | -- | May 31, 2023 | n/a |
| CVE-2023-28350 | An issue was discovered in Faronics Insight 10.0.19045 on Windows. Attacker-supplied input is not validated/sanitized before being rendered in both the Teacher and Student Console applications, enabling an attacker to execute JavaScript in these applications. Due to the rich and highly privileged functionality offered by the Teacher Console, the ability to silently exploit Cross Site Scripting (XSS) on the Teacher Machine enables remote code execution on any connected student machine (and the teacher\'s machine). | -- | May 31, 2023 | n/a |
| CVE-2023-28349 | An issue was discovered in Faronics Insight 10.0.19045 on Windows. It is possible for an attacker to create a crafted program that functions similarly to the Teacher Console. This can compel Student Consoles to connect and put themselves at risk automatically. Connected Student Consoles can be compelled to write arbitrary files to arbitrary locations on disk with NT AUTHORITY/SYSTEM level permissions, enabling remote code execution. | -- | May 31, 2023 | n/a |
| CVE-2023-28348 | An issue was discovered in Faronics Insight 10.0.19045 on Windows. A suitably positioned attacker could perform a man-in-the-middle attack on either a connected student or teacher, enabling them to intercept student keystrokes or modify executable files being sent from teachers to students. | -- | May 31, 2023 | n/a |
| CVE-2023-28347 | An issue was discovered in Faronics Insight 10.0.19045 on Windows. It is possible for an attacker to create a proof-of-concept script that functions similarly to a Student Console, providing unauthenticated attackers with the ability to exploit XSS vulnerabilities within the Teacher Console application and achieve remote code execution as NT AUTHORITY/SYSTEM on all connected Student Consoles and the Teacher Console in a Zero Click manner. | -- | May 31, 2023 | n/a |
| CVE-2023-28346 | An issue was discovered in Faronics Insight 10.0.19045 on Windows. It is possible for a remote attacker to communicate with the private API endpoints exposed at /login, /consoleSettings, /console, etc. despite Virtual Host Routing being used to block this access. Remote attackers can interact with private pages on the web server, enabling them to perform privileged actions such as logging into the console and changing console settings if they have valid credentials. | -- | May 31, 2023 | n/a |
| CVE-2023-28345 | An issue was discovered in Faronics Insight 10.0.19045 on Windows. The Insight Teacher Console application exposes the teacher\'s Console password in cleartext via an API endpoint accessible from localhost. Attackers with physical access to the Teacher Console can open a web browser, navigate to the affected endpoint and obtain the teacher\'s password. This enables them to log into the Teacher Console and begin trivially attacking student machines. | -- | May 31, 2023 | n/a |
| CVE-2023-28344 | An issue was discovered in Faronics Insight 10.0.19045 on Windows. The Insight Teacher Console application allows unauthenticated attackers to view constantly updated screenshots of student desktops and to submit falsified screenshots on behalf of students. Attackers are able to view screenshots of student desktops without their consent. These screenshots may potentially contain sensitive/personal data. Attackers can also rapidly submit falsified images, hiding the actual contents of student desktops from the Teacher Console. | -- | May 31, 2023 | n/a |
| CVE-2023-23562 | Stormshield Endpoint Security 2.3.0 through 2.3.2 has Incorrect Access Control that allows an authenticated user can update global parameters. | -- | May 31, 2023 | n/a |
| CVE-2023-2999 | Cross-site Scripting (XSS) - Stored in GitHub repository thorsten/phpmyfaq prior to 3.1.14. | -- | May 31, 2023 | n/a |
| CVE-2023-2998 | Cross-site Scripting (XSS) - Stored in GitHub repository thorsten/phpmyfaq prior to 3.1.14. | -- | May 31, 2023 | n/a |
| CVE-2023-2985 | kernel: use-after-free issue in hfsplus_release_folio in fs/hfsplus/super.c | -- | May 31, 2023 | n/a |
| CVE-2023-2977 | opensc: buffer overrun vulnerability in pkcs15 cardos_have_verifyrc_package | -- | May 31, 2023 | n/a |
| CVE-2023-2612 | Jean-Baptiste Cayrou discovered that the shiftfs file system in the Ubuntu Linux kernel contained a race condition when handling inode locking in some situations. A local attacker could use this to cause a denial of service (kernel deadlock). | -- | May 31, 2023 | n/a |
| CVE-2022-47526 | Fox-IT DataDiode (aka Fox DataDiode) 3.4.3 suffers from a path traversal vulnerability with resultant arbitrary writing of files. A remote attacker could leverage this vulnerability to achieve arbitrary code execution in the context of the downstream node user. Exploitation of this issue does not require user interaction. | -- | May 31, 2023 | n/a |
| CVE-2022-47525 | Fox-IT DataDiode (aka Fox DataDiode) 3.4.3 suffers from a Divide-by-Zero vulnerability in the packet parser. A remote attacker could leverage this vulnerability to cause a denial-of-service. Exploitation of this issue does not require user interaction. | -- | May 31, 2023 | n/a |
| CVE-2021-31233 | SQL Injection vulnerability found in Fighting Cock Information System v.1.0 allows a remote attacker to obtain sensitive information via the edit_breed.php parameter. | -- | May 31, 2023 | n/a |
| CVE-2012-10015 | A vulnerability was found in BestWebSoft Twitter Plugin up to 2.14 on WordPress. It has been classified as problematic. Affected is the function twttr_settings_page of the file twitter.php of the component Settings Page. The manipulation leads to cross-site request forgery. It is possible to launch the attack remotely. Upgrading to version 2.15 is able to address this issue. The name of the patch is a6d4659cbb2cbf18ccb0fb43549d5113d74e0146. It is recommended to upgrade the affected component. VDB-230154 is the identifier assigned to this vulnerability. | -- | May 31, 2023 | n/a |
| CVE-2023-34205 | In Moov signedxml through 1.0.0, parsing the raw XML (as received) can result in different output than parsing the canonicalized XML. Thus, signature validation can be bypassed via a Signature Wrapping attack (aka XSW). | -- | May 30, 2023 | n/a |
| CVE-2023-34204 | imapsync through 2.229 uses predictable paths under /tmp and /var/tmp in its default mode of operation. Both of these are typically world-writable, and thus (for example) an attacker can modify imapsync\'s cache and overwrite files belonging to the user who runs it. | -- | May 30, 2023 | n/a |
| CVE-2023-34153 | A vulnerability was found in ImageMagick. This security flaw causes a shell command injection vulnerability via video:vsync or video:pixel-format options in VIDEO encoding/decoding. | -- | May 30, 2023 | n/a |
| CVE-2023-34152 | A vulnerability was found in ImageMagick. This security flaw cause a remote code execution vulnerability in OpenBlob with --enable-pipes configured. | -- | May 30, 2023 | n/a |
| CVE-2023-34151 | A vulnerability was found in ImageMagick. This security flaw ouccers as an undefined behaviors of casting double to size_t in svg, mvg and other coders (recurring bugs of CVE-2022-32546). | -- | May 30, 2023 | n/a |
| CVE-2023-33975 | RIOT-OS, an operating system for Internet of Things (IoT) devices, contains a network stack with the ability to process 6LoWPAN frames. In version 2023.01 and prior, an attacker can send a crafted frame to the device resulting in an out of bounds write in the packet buffer. The overflow can be used to corrupt other packets and the allocator metadata. Corrupting a pointer will easily lead to denial of service. While carefully manipulating the allocator metadata gives an attacker the possibility to write data to arbitrary locations and thus execute arbitrary code. This issue is fixed in pull request 19680. As a workaround, disable support for fragmented IP datagrams. | -- | May 30, 2023 | n/a |
| CVE-2023-33974 | RIOT-OS, an operating system for Internet of Things (IoT) devices, contains a network stack with the ability to process 6LoWPAN frames. In versions 2023.01 and prior, an attacker can send multiple crafted frames to the device to trigger a race condition. The race condition invalidates assumptions about the program state and leads to an invalid memory access resulting in denial of service. This issue is patched in pull request 19679. There are no known workarounds. | -- | May 30, 2023 | n/a |
| CVE-2023-33973 | RIOT-OS, an operating system for Internet of Things (IoT) devices, contains a network stack with the ability to process 6LoWPAN frames. In versions 2023.01 and prior, an attacker can send a crafted frame which is forwarded by the device. During encoding of the packet a NULL pointer dereference occurs. This crashes the device leading to denial of service. A patch is available at pull request 19678. There are no known workarounds. | -- | May 30, 2023 | n/a |
| CVE-2023-33962 | JStachio is a type-safe Java Mustache templating engine. Prior to version 1.0.1, JStachio fails to escape single quotes `\'` in HTML, allowing an attacker to inject malicious code. This vulnerability can be exploited by an attacker to execute arbitrary JavaScript code in the context of other users visiting pages that use this template engine. This can lead to various consequences, including session hijacking, defacement of web pages, theft of sensitive information, or even the propagation of malware. Version 1.0.1 contains a patch for this issue. To mitigate this vulnerability, the template engine should properly escape special characters, including single quotes. Common practice is to escape `\'` as `'`. As a workaround, users can avoid this issue by using only double quotes `` for HTML attributes. | -- | May 30, 2023 | n/a |
| CVE-2023-33961 | Leantime is a lean open source project management system. Starting in version 2.3.21, an authenticated user with commenting privileges can inject malicious Javascript into a comment. Once the malicious comment is loaded in the browser by a user, the malicious Javascript code executes. As of time of publication, a patch does not exist. | -- | May 30, 2023 | n/a |
| CVE-2023-33955 | Minio Console is the UI for MinIO Object Storage. Unicode RIGHT-TO-LEFT OVERRIDE characters can be used to mask the original filename. This issue has been patched in version 0.28.0. | -- | May 30, 2023 | n/a |
| CVE-2023-33926 | Cross-Site Request Forgery (CSRF) vulnerability in Supsystic Easy Google Maps plugin <= 1.11.7 versions. | -- | May 30, 2023 | n/a |
| CVE-2023-33741 | Macrovideo v380pro v1.4.97 shares the device id and password when sharing the device. | -- | May 30, 2023 | n/a |
| CVE-2023-33740 | Incorrect access control in luowice v3.5.18 allows attackers to access cloud source code information via modification fo the Verify parameter in a warning message. | -- | May 30, 2023 | n/a |
| CVE-2023-33734 | BlueCMS v1.6 was discovered to contain a SQL injection vulnerability via the keywords parameter at search.php. | -- | May 30, 2023 | n/a |
| CVE-2023-33656 | A memory leak vulnerability exists in NanoMQ 0.17.2. The vulnerability is located in the file message.c. An attacker could exploit this vulnerability to cause a denial of service attack by causing the program to consume all available memory resources. | -- | May 30, 2023 | n/a |
| CVE-2023-33332 | Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in WooCommerce Product Vendors plugin <= 2.1.76 versions. | -- | May 30, 2023 | n/a |
| CVE-2023-33319 | Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in WooCommerce WooCommerce Follow-Up Emails (AutomateWoo) plugin <= 4.9.40 versions. | -- | May 30, 2023 | n/a |
| CVE-2023-33316 | Cross-Site Request Forgery (CSRF) vulnerability in WooCommerce WooCommerce Follow-Up Emails (AutomateWoo) plugin <= 4.9.40 versions. | -- | May 30, 2023 | n/a |
| CVE-2023-33313 | Cross-Site Request Forgery (CSRF) vulnerability in ThemeinProgress WIP Custom Login plugin <= 1.2.9 versions. | -- | May 30, 2023 | n/a |
| CVE-2023-33311 | Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in CRM Perks Contact Form Entries plugin <= 1.3.0 versions. | -- | May 30, 2023 | n/a |
| CVE-2023-33291 | In ebankIT 6, the public endpoints /public/token/Email/generate and /public/token/SMS/generate allow generation of OTP messages to any e-mail address or phone number without validation. (It cannot be exploited with e-mail addresses or phone numbers that are registered in the application.) | -- | May 30, 2023 | n/a |
| CVE-2023-33255 | An issue was discovered in Papaya Viewer 4a42701. User-supplied input in form of DICOM or NIFTI images can be loaded into the Papaya web application without any kind of sanitization. This allows injection of arbitrary JavaScript code into image metadata, which is executed when that metadata is displayed in the Papaya web application | -- | May 30, 2023 | n/a |
| CVE-2023-33245 | Minecraft through 1.19 and 1.20 pre-releases before 7 (Java) allow arbitrary file overwrite, and possibly code execution, via crafted world data that contains a symlink. | -- | May 30, 2023 | n/a |
| CVE-2023-33234 | Arbitrary code execution in Apache Airflow CNCF Kubernetes provider version 5.0.0 allows user to change xcom sidecar image and resources via Airflow connection. In order to exploit this weakness, a user would already need elevated permissions (Op or Admin) to change the connection object in this manner. Operators should upgrade to provider version 7.0.0 which has removed the vulnerability. | -- | May 30, 2023 | n/a |
| CVE-2023-33211 | Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in André Bräkling WP-Matomo Integration (WP-Piwik) plugin <= 1.0.27 versions. | -- | May 30, 2023 | n/a |
| CVE-2023-33198 | tgstation-server is a production scale tool for BYOND server management. The DreamMaker API (DMAPI) chat channel cache can possibly be poisoned by a tgstation-server (TGS) restart and reattach. This can result in sending chat messages to one of any of the configured IRC or Discord channels for the instance on enabled chat bots. This lasts until the instance\'s chat channels are updated in TGS or DreamDaemon is restarted. TGS chat commands are unaffected, custom or otherwise. | -- | May 30, 2023 | n/a |
