The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.
ID | Description | Priority | Modified date | Fixed Release |
---|---|---|---|---|
CVE-2023-52139 | Misskey is an open source, decentralized social media platform. Third-party applications may be able to access some endpoints or Websocket APIs that are incorrectly specified as [kind](https://github.com/misskey-dev/misskey/blob/406b4bdbe79b5b0b68fcdcb3c4b6e419460a0258/packages/backend/src/server/api/endpoints.ts#L811) or [secure](https://github.com/misskey-dev/misskey/blob/406b4bdbe79b5b0b68fcdcb3c4b6e419460a0258/packages/backend/src/server/api/endpoints.ts#L805) without the user\'s permission and perform operations such as reading or adding non-public content. As a result, if the user who authenticated the application is an administrator, confidential information such as object storage secret keys and SMTP server passwords will be leaked, and general users can also create invitation codes without permission and leak non-public user information. This is patched in version [2023.12.1](https://github.com/misskey-dev/misskey/commit/c96bc36fedc804dc840ea791a9355d7df0748e64). | -- | Dec 29, 2023 | n/a |
CVE-2023-52140 | Rejected reason: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during 2023. Notes: none. | -- | Jan 3, 2024 | n/a |
CVE-2023-52141 | Rejected reason: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during 2023. Notes: none. | -- | Jan 3, 2024 | n/a |
CVE-2023-52142 | Improper Neutralization of Special Elements used in an SQL Command (\'SQL Injection\') vulnerability in Cool Plugins Events Shortcodes For The Events Calendar.This issue affects Events Shortcodes For The Events Calendar: from n/a through 2.3.1. | -- | Jan 9, 2024 | n/a |
CVE-2023-52143 | Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Naa986 WP Stripe Checkout.This issue affects WP Stripe Checkout: from n/a through 1.2.2.37. | -- | Jan 5, 2024 | n/a |
CVE-2023-52144 | Improper Limitation of a Pathname to a Restricted Directory (\'Path Traversal\') vulnerability in RexTheme Product Feed Manager.This issue affects Product Feed Manager: from n/a through 7.3.15. | -- | Apr 15, 2024 | n/a |
CVE-2023-52145 | Cross-Site Request Forgery (CSRF) vulnerability in Marios Alexandrou Republish Old Posts.This issue affects Republish Old Posts: from n/a through 1.21. | -- | Jan 5, 2024 | n/a |
CVE-2023-52146 | Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Aaron J 404 Solution.This issue affects 404 Solution: from n/a through 2.33.0. | -- | Jan 5, 2024 | n/a |
CVE-2023-52147 | Exposure of Sensitive Information to an Unauthorized Actor vulnerability in All In One WP Security & Firewall Team All In One WP Security & Firewall allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects All In One WP Security & Firewall: from n/a through 5.2.4. | -- | Jun 4, 2024 | n/a |
CVE-2023-52148 | Exposure of Sensitive Information to an Unauthorized Actor vulnerability in wp.Insider, wpaffiliatemgr Affiliates Manager.This issue affects Affiliates Manager: from n/a through 2.9.30. | -- | Jan 10, 2024 | n/a |
CVE-2023-52149 | Cross-Site Request Forgery (CSRF) vulnerability in Wow-Company Floating Button.This issue affects Floating Button: from n/a through 6.0. | -- | Jan 9, 2024 | n/a |
CVE-2023-52150 | Cross-Site Request Forgery (CSRF) vulnerability in Ovation S.R.L. Dynamic Content for Elementor.This issue affects Dynamic Content for Elementor: from n/a before 2.12.5. | -- | Jan 5, 2024 | n/a |
CVE-2023-52151 | Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Uncanny Automator, Uncanny Owl Uncanny Automator – Automate everything with the #1 no-code automation and integration plugin.This issue affects Uncanny Automator – Automate everything with the #1 no-code automation and integration plugin: from n/a through 5.1.0.2. | -- | Jan 10, 2024 | n/a |
CVE-2023-52152 | mupnp/net/uri.c in mUPnP for C through 3.0.2 has an out-of-bounds read and application crash because it lacks a certain host length recalculation. | -- | Dec 28, 2023 | n/a |
CVE-2023-52153 | A SQL Injection vulnerability in /pmb/opac_css/includes/sessions.inc.php in PMB 7.4.7 and earlier allows remote unauthenticated attackers to inject arbitrary SQL commands via the PmbOpac-LOGIN cookie value. | -- | Feb 22, 2024 | n/a |
CVE-2023-52154 | File Upload vulnerability in pmb/camera_upload.php in PMB 7.4.7 and earlier allows attackers to run arbitrary code via upload of crafted PHTML files. | -- | Feb 22, 2024 | n/a |
CVE-2023-52155 | A SQL Injection vulnerability in /admin/sauvegarde/run.php in PMB 7.4.7 and earlier allows remote authenticated attackers to execute arbitrary SQL commands via the sauvegardes variable through the /admin/sauvegarde/run.php endpoint. | -- | Feb 22, 2024 | n/a |
CVE-2023-52159 | A stack-based buffer overflow vulnerability in gross 0.9.3 through 1.x before 1.0.4 allows remote attackers to trigger a denial of service (grossd daemon crash) or potentially execute arbitrary code in grossd via crafted SMTP transaction parameters that cause an incorrect strncat for a log entry. | -- | Mar 18, 2024 | n/a |
CVE-2023-52160 | The implementation of PEAP in wpa_supplicant through 2.10 allows authentication bypass. For a successful attack, wpa_supplicant must be configured to not verify the network\'s TLS certificate during Phase 1 authentication, and an eap_peap_decrypt vulnerability can then be abused to skip Phase 2 authentication. The attack vector is sending an EAP-TLV Success packet instead of starting Phase 2. This allows an adversary to impersonate Enterprise Wi-Fi networks. | -- | Feb 19, 2024 | n/a |
CVE-2023-52161 | The Access Point functionality in eapol_auth_key_handle in eapol.c in iNet wireless daemon (IWD) before 2.14 allows attackers to gain unauthorized access to a protected Wi-Fi network. An attacker can complete the EAPOL handshake by skipping Msg2/4 and instead sending Msg4/4 with an all-zero key. | -- | Feb 19, 2024 | n/a |
CVE-2023-52162 | Mercusys MW325R EU V3 (Firmware MW325R(EU)_V3_1.11.0 Build 221019) is vulnerable to a stack-based buffer overflow, which could allow an attacker to execute arbitrary code. Exploiting the vulnerability requires authentication. | -- | Jun 4, 2024 | n/a |
CVE-2023-52168 | The NtfsHandler.cpp NTFS handler in 7-Zip before 24.01 (for 7zz) contains a heap-based buffer overflow that allows an attacker to overwrite two bytes at multiple offsets beyond the allocated buffer size: buffer+512*i-2, for i=9, i=10, i=11, etc. | -- | Jul 3, 2024 | n/a |
CVE-2023-52169 | The NtfsHandler.cpp NTFS handler in 7-Zip before 24.01 (for 7zz) contains an out-of-bounds read that allows an attacker to read beyond the intended buffer. The bytes read beyond the intended buffer are presented as a part of a filename listed in the file system image. This has security relevance in some known web-service use cases where untrusted users can upload files and have them extracted by a server-side 7-Zip process. | -- | Jul 3, 2024 | n/a |
CVE-2023-52173 | XnView Classic before 2.51.3 on Windows has a Write Access Violation at xnview.exe+0x3ADBD0. | -- | Dec 29, 2023 | n/a |
CVE-2023-52174 | XnView Classic before 2.51.3 on Windows has a Write Access Violation at xnview.exe+0x3125D6. | -- | Dec 29, 2023 | n/a |
CVE-2023-52175 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in Michael Uno (miunosoft) Auto Amazon Links – Amazon Associates Affiliate Plugin allows Stored XSS.This issue affects Auto Amazon Links – Amazon Associates Affiliate Plugin: from n/a through 5.1.1. | -- | Feb 1, 2024 | n/a |
CVE-2023-52176 | Authentication Bypass by Spoofing vulnerability in miniorange Malware Scanner allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Malware Scanner: from n/a through 4.7.1. | -- | Jun 4, 2024 | n/a |
CVE-2023-52177 | Missing Authorization vulnerability in SoftLab Integrate Google Drive.This issue affects Integrate Google Drive: from n/a through 1.3.3. | -- | Jun 13, 2024 | n/a |
CVE-2023-52178 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in MojofyWP WP Affiliate Disclosure allows Stored XSS.This issue affects WP Affiliate Disclosure: from n/a through 1.2.7. | -- | Jan 5, 2024 | n/a |
CVE-2023-52179 | Missing Authorization vulnerability in WebCodingPlace Product Expiry for WooCommerce.This issue affects Product Expiry for WooCommerce: from n/a through 2.5. | -- | Jun 11, 2024 | n/a |
CVE-2023-52180 | Improper Neutralization of Special Elements used in an SQL Command (\'SQL Injection\') vulnerability in Really Simple Plugins Recipe Maker For Your Food Blog from Zip Recipes.This issue affects Recipe Maker For Your Food Blog from Zip Recipes: from n/a through 8.1.0. | -- | Jan 1, 2024 | n/a |
CVE-2023-52181 | Deserialization of Untrusted Data vulnerability in Presslabs Theme per user.This issue affects Theme per user: from n/a through 1.0.1. | -- | Jan 1, 2024 | n/a |
CVE-2023-52182 | Deserialization of Untrusted Data vulnerability in ARI Soft ARI Stream Quiz – WordPress Quizzes Builder.This issue affects ARI Stream Quiz – WordPress Quizzes Builder: from n/a through 1.3.0. | -- | Jan 1, 2024 | n/a |
CVE-2023-52183 | Missing Authorization vulnerability in WebToffee WordPress Backup & Migration.This issue affects WordPress Backup & Migration: from n/a through 1.4.3. | -- | Jun 13, 2024 | n/a |
CVE-2023-52184 | Cross-Site Request Forgery (CSRF) vulnerability in WP Job Portal WP Job Portal – A Complete Job Board.This issue affects WP Job Portal – A Complete Job Board: from n/a through 2.0.6. | -- | Jan 5, 2024 | n/a |
CVE-2023-52185 | Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Everestthemes Everest Backup – WordPress Cloud Backup, Migration, Restore & Cloning Plugin.This issue affects Everest Backup – WordPress Cloud Backup, Migration, Restore & Cloning Plugin: from n/a through 2.1.9. | -- | Jan 1, 2024 | n/a |
CVE-2023-52186 | Missing Authorization vulnerability in Woo WooCommerce Product Vendors.This issue affects WooCommerce Product Vendors: from n/a through 2.2.2. | -- | Jun 11, 2024 | n/a |
CVE-2023-52187 | Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Thomas Maier Image Source Control Lite – Show Image Credits and Captions.This issue affects Image Source Control Lite – Show Image Credits and Captions: from n/a through 2.17.0. | -- | Jan 27, 2024 | n/a |
CVE-2023-52188 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in Russell Jamieson Footer Putter allows Stored XSS.This issue affects Footer Putter: from n/a through 1.17. | -- | Feb 1, 2024 | n/a |
CVE-2023-52189 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in Jhayghost Ideal Interactive Map allows Stored XSS.This issue affects Ideal Interactive Map: from n/a through 1.2.4. | -- | Feb 1, 2024 | n/a |
CVE-2023-52190 | Exposure of Sensitive Information to an Unauthorized Actor vulnerability in WP Swings Coupon Referral Program.This issue affects Coupon Referral Program: from n/a through 1.7.2. | -- | Jan 8, 2024 | n/a |
CVE-2023-52191 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in Torbjon Infogram – Add charts, maps and infographics allows Stored XSS.This issue affects Infogram – Add charts, maps and infographics: from n/a through 1.6.1. | -- | Feb 1, 2024 | n/a |
CVE-2023-52192 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in Keap Keap Official Opt-in Forms allows Stored XSS.This issue affects Keap Official Opt-in Forms: from n/a through 1.0.11. | -- | Feb 1, 2024 | n/a |
CVE-2023-52193 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in Live Composer Team Page Builder: Live Composer allows Stored XSS.This issue affects Page Builder: Live Composer: from n/a through 1.5.23. | -- | Feb 1, 2024 | n/a |
CVE-2023-52194 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in Takayuki Miyauchi oEmbed Gist allows Stored XSS.This issue affects oEmbed Gist: from n/a through 4.9.1. | -- | Feb 1, 2024 | n/a |
CVE-2023-52195 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in Posts to Page Kerry James allows Stored XSS.This issue affects Kerry James: from n/a through 1.7. | -- | Feb 1, 2024 | n/a |
CVE-2023-52196 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in Phil Ewels CPT Bootstrap Carousel allows Reflected XSS.This issue affects CPT Bootstrap Carousel: from n/a through 1.12. | -- | Jan 9, 2024 | n/a |
CVE-2023-52197 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in Impactpixel Ads Invalid Click Protection allows Stored XSS.This issue affects Ads Invalid Click Protection: from n/a through 1.0. | -- | Jan 9, 2024 | n/a |
CVE-2023-52198 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in Michiel van Eerd Private Google Calendars allows Stored XSS.This issue affects Private Google Calendars: from n/a through 20231125. | -- | Jan 9, 2024 | n/a |
CVE-2023-52199 | Missing Authorization vulnerability in Matthias Pfefferle & Automattic ActivityPub.This issue affects ActivityPub: from n/a through 1.0.5. | -- | Jun 13, 2024 | n/a |