The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.
| ID | Description | Priority | Modified date | Fixed Release |
|---|---|---|---|---|
| CVE-2023-33486 | TOTOLINK X5000R V9.1.0u.6118_B20201102 and V9.1.0u.6369_B20230113 contain a command insertion vulnerability in setOpModeCfg. This vulnerability allows an attacker to execute arbitrary commands through the hostName parameter. | -- | May 31, 2023 | n/a |
| CVE-2023-33485 | TOTOLINK X5000R V9.1.0u.6118_B20201102 and V9.1.0u.6369_B20230113 contains a post-authentication buffer overflow via parameter sPort/ePort in the addEffect function. | -- | May 31, 2023 | n/a |
| CVE-2023-33477 | In Harmonic NSG 9000-6G devices, an authenticated remote user can obtain source code by directly requesting a special path. | -- | Jun 7, 2023 | n/a |
| CVE-2023-33476 | ReadyMedia (MiniDLNA) versions from 1.1.15 up to 1.3.2 is vulnerable to Buffer Overflow. The vulnerability is caused by incorrect validation logic when handling HTTP requests using chunked transport encoding. This results in other code later using attacker-controlled chunk values that exceed the length of the allocated buffer, resulting in out-of-bounds read/write. | -- | Jun 2, 2023 | n/a |
| CVE-2023-33461 | iniparser v4.1 is vulnerable to NULL Pointer Dereference in function iniparser_getlongint which misses check NULL for function iniparser_getstring\'s return. | -- | Jun 1, 2023 | n/a |
| CVE-2023-33460 | There\'s a memory leak in yajl 2.1.0 with use of yajl_tree_parse function. which will cause out-of-memory in server and cause crash. | -- | Jun 6, 2023 | n/a |
| CVE-2023-33457 | In Sogou Workflow v0.10.6, memcpy a negtive size in URIParser::parse , may cause buffer-overflow and crash. | -- | Jun 6, 2023 | n/a |
| CVE-2023-33443 | Incorrect access control in the administrative functionalities of BES--6024PB-I50H1 VideoPlayTool v2.0.1.0 allow attackers to execute arbitrary administrative commands via a crafted payload sent to the desired endpoints. | -- | Jun 8, 2023 | n/a |
| CVE-2023-33440 | Sourcecodester Faculty Evaluation System v1.0 is vulnerable to arbitrary code execution via /eval/ajax.php?action=save_user. | -- | May 29, 2023 | n/a |
| CVE-2023-33439 | Sourcecodester Faculty Evaluation System v1.0 is vulnerable to SQL Injection via /eval/admin/manage_task.php?id=. | -- | May 29, 2023 | n/a |
| CVE-2023-33410 | Minical 1.0.0 and earlier contains a CSV injection vulnerability which allows an attacker to execute remote code. The vulnerability exists due to insufficient input validation on the Customer Name field in the Accounting module that is used to construct a CSV file. | -- | Jun 6, 2023 | n/a |
| CVE-2023-33409 | Minical 1.0.0 is vulnerable to Cross Site Request Forgery (CSRF) via minical/public/application/controllers/settings/company.php. | -- | Jun 6, 2023 | n/a |
| CVE-2023-33408 | Minical 1.0.0 is vulnerable to Cross Site Scripting (XSS). The vulnerability exists due to insufficient input validation in the application\'s user input handling in the security_helper.php file. | -- | Jun 6, 2023 | n/a |
| CVE-2023-33394 | skycaiji v2.5.4 is vulnerable to Cross Site Scripting (XSS). Attackers can achieve backend XSS by deploying malicious JSON data. | -- | May 26, 2023 | n/a |
| CVE-2023-33386 | MarsCTF 1.2.1 has an arbitrary file upload vulnerability in the interface for uploading attachments in the background. | -- | Jun 5, 2023 | n/a |
| CVE-2023-33381 | A command injection vulnerability was found in the ping functionality of the MitraStar GPT-2741GNAC router (firmware version AR_g5.8_110WVN0b7_2). The vulnerability allows an authenticated user to execute arbitrary OS commands by sending specially crafted input to the router via the ping function. | -- | Jun 6, 2023 | n/a |
| CVE-2023-33362 | Piwigo 13.6.0 is vulnerable to SQL Injection via in the profile function. | -- | May 23, 2023 | n/a |
| CVE-2023-33361 | Piwigo 13.6.0 is vulnerable to SQL Injection via /admin/permalinks.php. | -- | May 23, 2023 | n/a |
| CVE-2023-33359 | Piwigo 13.6.0 is vulnerable to Cross Site Request Forgery (CSRF) in the add tags function. | -- | May 23, 2023 | n/a |
| CVE-2023-33356 | IceCMS v1.0.0 is vulnerable to Cross Site Scripting (XSS). | -- | May 25, 2023 | n/a |
| CVE-2023-33355 | IceCMS v1.0.0 has Insecure Permissions. There is unauthorized access to the API, resulting in the disclosure of sensitive information. | -- | May 25, 2023 | n/a |
| CVE-2023-33338 | Old Age Home Management 1.0 is vulnerable to SQL Injection via the username parameter. | -- | May 23, 2023 | n/a |
| CVE-2023-33332 | Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in WooCommerce Product Vendors plugin <= 2.1.76 versions. | -- | May 30, 2023 | n/a |
| CVE-2023-33328 | Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in PluginOps MailChimp Subscribe Form plugin <= 4.0.9.1 versions. | -- | May 28, 2023 | n/a |
| CVE-2023-33326 | Unauth. Reflected (XSS) Cross-Site Scripting (XSS) vulnerability in EventPrime plugin <= 2.8.6 versions. | -- | May 28, 2023 | n/a |
| CVE-2023-33319 | Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in WooCommerce WooCommerce Follow-Up Emails (AutomateWoo) plugin <= 4.9.40 versions. | -- | May 30, 2023 | n/a |
| CVE-2023-33316 | Cross-Site Request Forgery (CSRF) vulnerability in WooCommerce WooCommerce Follow-Up Emails (AutomateWoo) plugin <= 4.9.40 versions. | -- | May 30, 2023 | n/a |
| CVE-2023-33315 | Cross-Site Request Forgery (CSRF) vulnerability in Stephen Darlington, Wandle Software Limited Smart App Banner plugin <= 1.1.2 versions. | -- | May 28, 2023 | n/a |
| CVE-2023-33314 | Cross-Site Request Forgery (CSRF) vulnerability in realmag777 BEAR plugin <= 1.1.3.1 versions. | -- | May 28, 2023 | n/a |
| CVE-2023-33313 | Cross-Site Request Forgery (CSRF) vulnerability in ThemeinProgress WIP Custom Login plugin <= 1.2.9 versions. | -- | May 30, 2023 | n/a |
| CVE-2023-33311 | Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in CRM Perks Contact Form Entries plugin <= 1.3.0 versions. | -- | May 30, 2023 | n/a |
| CVE-2023-33309 | Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Awesome Motive Duplicator Pro plugin <= 4.5.11 versions. | -- | May 28, 2023 | n/a |
| CVE-2023-33297 | Bitcoin Core before 24.1, when debug mode is not used, allows attackers to cause a denial of service (CPU consumption) because draining the inventory-to-send queue is inefficient, as exploited in the wild in May 2023. | -- | May 22, 2023 | n/a |
| CVE-2023-33294 | An issue was discovered in KaiOS 3.0 before 3.1. The /system/bin/tctweb_server binary exposes a local web server that responds to GET and POST requests on port 2929. The server accepts arbitrary Bash commands and executes them as root. Because it is not permission or context restricted and returns proper CORS headers, it\'s accessible to all websites via the browser. At a bare minimum, this allows an attacker to retrieve a list of the user\'s installed apps, notifications, and downloads. It also allows an attacker to delete local files and modify system properties including the boolean persist.moz.killswitch property (which would render the device inoperable). This vulnerability is partially mitigated by SELinux which prevents reads, writes, or modifications to files or permissions within protected partitions. | -- | May 22, 2023 | n/a |
| CVE-2023-33293 | An issue was discovered in KaiOS 3.0 and 3.1. The binary /system/kaios/api-daemon exposes a local web server on *.localhost with subdomains for each installed applications, e.g., myapp.localhost. An attacker can make fetch requests to api-deamon to determine if a given app is installed and read the manifest.webmanifest contents, including the app version. | -- | May 22, 2023 | n/a |
| CVE-2023-33291 | In ebankIT 6, the public endpoints /public/token/Email/generate and /public/token/SMS/generate allow generation of OTP messages to any e-mail address or phone number without validation. (It cannot be exploited with e-mail addresses or phone numbers that are registered in the application.) | -- | May 30, 2023 | n/a |
| CVE-2023-33288 | An issue was discovered in the Linux kernel before 6.2.9. A use-after-free was found in bq24190_remove in drivers/power/supply/bq24190_charger.c. It could allow a local attacker to crash the system due to a race condition. | -- | May 22, 2023 | n/a |
| CVE-2023-33287 | A stored cross-site scripting (XSS) vulnerability in the Inline Table Editing application before 3.8.0 for Confluence allows attackers to store and execute arbitrary JavaScript via a crafted payload injected into the tables. | -- | Jun 1, 2023 | n/a |
| CVE-2023-33285 | An issue was discovered in Qt 5.x before 5.15.14, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. QDnsLookup has a buffer over-read via a crafted reply from a DNS server. | -- | May 22, 2023 | n/a |
| CVE-2023-33284 | Marval MSM through 14.19.0.12476 and 15.0 has a Remote Code Execution vulnerability. A remote attacker authenticated as any user is able to execute code in context of the web server. | -- | Jun 7, 2023 | n/a |
| CVE-2023-33283 | Marval MSM through 14.19.0.12476 uses a static encryption key for secrets. An attacker that gains access to encrypted secrets can decrypt them by using this key. | -- | Jun 7, 2023 | n/a |
| CVE-2023-33282 | Marval MSM through 14.19.0.12476 and 15.0 has a System account with default credentials. A remote attacker is able to login and create a valid session. This makes it possible to make backend calls to endpoints in the application. | -- | Jun 7, 2023 | n/a |
| CVE-2023-33281 | The remote keyfob system on Nissan Sylphy Classic 2021 sends the same RF signal for each door-open request, which allows for a replay attack. | -- | May 22, 2023 | n/a |
| CVE-2023-33280 | In the Store Commander scquickaccounting module for PrestaShop through 3.7.3, multiple sensitive SQL calls can be executed with a trivial HTTP request and exploited to forge a blind SQL injection. | -- | May 25, 2023 | n/a |
| CVE-2023-33279 | In the Store Commander scfixmyprestashop module through 2023-05-09 for PrestaShop, sensitive SQL calls can be executed with a trivial HTTP request and exploited to forge a blind SQL injection. | -- | May 25, 2023 | n/a |
| CVE-2023-33278 | In the Store Commander scexportcustomers module for PrestaShop through 3.6.1, sensitive SQL calls can be executed with a trivial HTTP request and exploited to forge a blind SQL injection. | -- | May 25, 2023 | n/a |
| CVE-2023-33264 | In Hazelcast through 5.0.4, 5.1 through 5.1.6, and 5.2 through 5.2.3, configuration routines don\'t mask passwords in the member configuration properly. This allows Hazelcast Management Center users to view some of the secrets. | -- | May 22, 2023 | n/a |
| CVE-2023-33263 | In WFTPD 3.25, usernames and password hashes are stored in an openly viewable wftpd.ini configuration file within the WFTPD directory. NOTE: this is a product from 2006. | -- | May 25, 2023 | n/a |
| CVE-2023-33255 | An issue was discovered in Papaya Viewer 4a42701. User-supplied input in form of DICOM or NIFTI images can be loaded into the Papaya web application without any kind of sanitization. This allows injection of arbitrary JavaScript code into image metadata, which is executed when that metadata is displayed in the Papaya web application | -- | May 30, 2023 | n/a |
| CVE-2023-33254 | There is an LDAP bind credentials exposure on KACE Systems Deployment and Remote Site appliances 9.0.146. The captured credentials may provide a higher privilege level on the Active Directory domain. To exploit this, an authenticated attacker edits the user-authentication settings to specify an attacker-controlled LDAP server, clicks the Test Settings button, and captures the cleartext credentials. | -- | May 22, 2023 | n/a |
