Total
958 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-29816 | 1 Jetbrains | 1 Intellij Idea | 2023-06-28 | 2.1 LOW | 3.2 LOW |
| In JetBrains IntelliJ IDEA before 2022.1 HTML injection into IDE messages was possible | |||||
| CVE-2022-38191 | 1 Esri | 1 Portal For Arcgis | 2023-06-27 | N/A | 5.4 MEDIUM |
| There is an HTML injection issue in Esri Portal for ArcGIS versions 10.9.0 and below which may allow a remote, authenticated attacker to inject HTML into some locations in the home application. | |||||
| CVE-2022-36323 | 1 Siemens | 180 Scalance M-800, Scalance M-800 Firmware, Scalance S615 and 177 more | 2023-06-27 | N/A | 9.1 CRITICAL |
| Affected devices do not properly sanitize an input field. This could allow an authenticated remote attacker with administrative privileges to inject code or spawn a system root shell. | |||||
| CVE-2022-23068 | 1 Tooljet | 1 Tooljet | 2023-06-27 | 3.5 LOW | 5.4 MEDIUM |
| ToolJet versions v0.6.0 to v1.10.2 are vulnerable to HTML injection where an attacker can inject malicious code inside the first name and last name field while inviting a new user which will be reflected in the invitational e-mail. | |||||
| CVE-2022-41934 | 1 Xwiki | 1 Xwiki | 2023-06-27 | N/A | 8.8 HIGH |
| XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any user with view rights on commonly accessible documents including the menu macro can execute arbitrary Groovy, Python or Velocity code in XWiki leading to full access to the XWiki installation due to improper escaping of the macro content and parameters of the menu macro. The problem has been patched in XWiki 14.6RC1, 13.10.8 and 14.4.3. The patch (commit `2fc20891`) for the document `Menu.MenuMacro` can be manually applied or a XAR archive of a patched version can be imported. The menu macro was basically unchanged since XWiki 11.6 so on XWiki 11.6 or later the patch for version of 13.10.8 (commit `59ccca24a`) can most likely be applied, on XWiki version 14.0 and later the versions in XWiki 14.6 and 14.4.3 should be appropriate. | |||||
| CVE-2021-43929 | 1 Synology | 1 Diskstation Manager | 2023-06-26 | 4.0 MEDIUM | 5.4 MEDIUM |
| Improper neutralization of special elements in output used by a downstream component ('Injection') vulnerability in work flow management in Synology DiskStation Manager (DSM) before 7.0.1-42218-2 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors. | |||||
| CVE-2021-40336 | 1 Hitachienergy | 2 Modular Switchgear Monitoring, Modular Switchgear Monitoring Firmware | 2023-06-26 | N/A | 8.8 HIGH |
| A vulnerability exists in the http web interface where the web interface does not validate data in an HTTP header. This causes a possible HTTP response splitting, which if exploited could lead an attacker to channel down harmful code into the user’s web browser, such as to steal the session cookies. Thus, an attacker who successfully makes an MSM user who has already established a session to MSM web interface clicks a forged link to the MSM web interface, e.g., the link is sent per E-Mail, could trick the user into downloading malicious software onto his computer. This issue affects: Hitachi Energy MSM V2.2 and prior versions. | |||||
| CVE-2023-2797 | 1 Mattermost | 1 Mattermost | 2023-06-26 | N/A | 6.5 MEDIUM |
| Mattermost fails to sanitize code permalinks, allowing an attacker to preview code from private repositories by posting a specially crafted permalink on a channel. | |||||
| CVE-2022-24838 | 1 Nextcloud | 1 Calendar | 2023-06-23 | 7.5 HIGH | 9.8 CRITICAL |
| Nextcloud Calendar is a calendar application for the nextcloud framework. SMTP Command Injection in Appointment Emails via Newlines: as newlines and special characters are not sanitized in the email value in the JSON request, a malicious attacker can inject newlines to break out of the `RCPT TO:<BOOKING USER'S EMAIL> ` SMTP command and begin injecting arbitrary SMTP commands. It is recommended that Calendar is upgraded to 3.2.2. There are no workaround available. | |||||
| CVE-2023-28599 | 1 Zoom | 1 Zoom | 2023-06-21 | N/A | 4.3 MEDIUM |
| Zoom clients prior to 5.13.10 contain an HTML injection vulnerability. A malicious user could inject HTML into their display name potentially leading a victim to a malicious website during meeting creation. | |||||
| CVE-2023-28598 | 1 Zoom | 1 Zoom | 2023-06-21 | N/A | 6.5 MEDIUM |
| Zoom for Linux clients prior to 5.13.10 contain an HTML injection vulnerability. If a victim starts a chat with a malicious user it could result in a Zoom application crash. | |||||
| CVE-2022-47028 | 1 Actionlauncher | 1 Action Launcher | 2023-06-06 | N/A | 5.5 MEDIUM |
| An issue discovered in Action Launcher for Android v50.5 allows an attacker to cause a denial of service via arbitary data injection to function insert. | |||||
| CVE-2023-33234 | 1 Apache | 1 Airflow Cncf Kubernetes | 2023-06-05 | N/A | 7.2 HIGH |
| Arbitrary code execution in Apache Airflow CNCF Kubernetes provider version 5.0.0 allows user to change xcom sidecar image and resources via Airflow connection. In order to exploit this weakness, a user would already need elevated permissions (Op or Admin) to change the connection object in this manner. Operators should upgrade to provider version 7.0.0 which has removed the vulnerability. | |||||
| CVE-2014-10386 | 1 3cx | 1 Live Chat | 2023-05-26 | 4.3 MEDIUM | 6.1 MEDIUM |
| The wp-live-chat-support plugin before 4.1.0 for WordPress has JavaScript injections. | |||||
| CVE-2023-32679 | 1 Craftcms | 1 Craft Cms | 2023-05-26 | N/A | 7.2 HIGH |
| Craft CMS is an open source content management system. In affected versions of Craft CMS an unrestricted file extension may lead to Remote Code Execution. If the name parameter value is not empty string('') in the View.php's doesTemplateExist() -> resolveTemplate() -> _resolveTemplateInternal() -> _resolveTemplate() function, it returns directly without extension verification, so that arbitrary extension files are rendered as twig templates. When attacker with admin privileges on a DEV or an improperly configured STG or PROD environment, they can exploit this vulnerability to remote code execution. Code execution may grant the attacker access to the host operating system. This issue has been addressed in version 4.4.6. Users are advised to upgrade. There are no known workarounds for this vulnerability. | |||||
| CVE-2023-32314 | 1 Vm2 Project | 1 Vm2 | 2023-05-24 | N/A | 10.0 CRITICAL |
| vm2 is a sandbox that can run untrusted code with Node's built-in modules. A sandbox escape vulnerability exists in vm2 for versions up to and including 3.9.17. It abuses an unexpected creation of a host object based on the specification of `Proxy`. As a result a threat actor can bypass the sandbox protections to gain remote code execution rights on the host running the sandbox. This vulnerability was patched in the release of version `3.9.18` of `vm2`. Users are advised to upgrade. There are no known workarounds for this vulnerability. | |||||
| CVE-2023-32313 | 1 Vm2 Project | 1 Vm2 | 2023-05-24 | N/A | 5.3 MEDIUM |
| vm2 is a sandbox that can run untrusted code with Node's built-in modules. In versions 3.9.17 and lower of vm2 it was possible to get a read-write reference to the node `inspect` method and edit options for `console.log`. As a result a threat actor can edit options for the `console.log` command. This vulnerability was patched in the release of version `3.9.18` of `vm2`. Users are advised to upgrade. Users unable to upgrade may make the `inspect` method readonly with `vm.readonly(inspect)` after creating a vm. | |||||
| CVE-2022-46265 | 1 Siemens | 1 Polarion Alm | 2023-05-16 | N/A | 5.4 MEDIUM |
| A vulnerability has been identified in Polarion ALM (All versions < V2304.0). The affected application contains a Host header injection vulnerability that could allow an attacker to spoof a Host header information and redirect users to malicious websites. | |||||
| CVE-2022-43769 | 1 Hitachi | 1 Vantara Pentaho Business Analytics Server | 2023-05-11 | N/A | 7.2 HIGH |
| Hitachi Vantara Pentaho Business Analytics Server prior to versions 9.4.0.1 and 9.3.0.2, including 8.3.x allow certain web services to set property values which contain Spring templates that are interpreted downstream. | |||||
| CVE-2022-45048 | 1 Apache | 1 Ranger | 2023-05-11 | N/A | 8.8 HIGH |
| Authenticated users with appropriate privileges can create policies having expressions that can exploit code execution vulnerability. This issue affects Apache Ranger: 2.3.0. Users are recommended to update to version 2.4.0. | |||||