CVEs from 2023
Total
6,120
critical
critical 239
high
high 1,503
medium
medium 1,409
low
low 32
% Critical
3.9%
% with KEV
2.7%
% with exploit
3.5%
Top products
- office 29
- office_long_term_servicing_channel 15
- 365_apps 14
- ftmg-esr50sxx 8
- ftmg-esn40sxx 8
- ftmg-esd25axx 8
- ftmg-esr40sxx 8
- ftmg-esd15axx 8
| CVE | Severity | CVSS | Risk | Flags | OS | Vendor | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2023-44487 | high | 7.5 | 10.0 | 3y ago | The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023. | |||
| CVE-2023-4911 | high | 7.8 | 10.0 | 3y ago | GNU C Library's dynamic loader ld.so contains a buffer overflow vulnerability when processing the GLIBC_TUNABLES environment variable, allowing a local attacker to execute code with elevated privileg… | |||
| CVE-2023-0386 | high | — | 10.0 | 3y ago | Linux Kernel contains an improper ownership management vulnerability, where unauthorized access to the execution of the setuid file with capabilities was found in the Linux kernel’s OverlayFS subsyst… | |||
| CVE-2023-43000 | high | — | 9.5 | 2y ago | Apple macOS, iOS, iPadOS, and Safari 16.6 contain a use-after-free vulnerability due to the processing of maliciously crafted web content that may lead to memory corruption. | |||
| CVE-2023-42917 | high | — | 9.5 | 3y ago | Apple iOS, iPadOS, macOS, and Safari WebKit contain a memory corruption vulnerability that leads to code execution when processing maliciously crafted web content. This vulnerability could impact HTM… | |||
| CVE-2023-5217 | high | — | 9.5 | 3y ago | Google Chromium libvpx contains a heap buffer overflow vulnerability in vp8 encoding that allows a remote attacker to potentially exploit heap corruption via a crafted HTML page. This vulnerability c… | |||
| CVE-2023-4863 | high | — | 9.5 | 3y ago | Google Chromium WebP contains a heap-based buffer overflow vulnerability that allows a remote attacker to perform an out-of-bounds memory write via a crafted HTML page. This vulnerability can affect … | |||
| CVE-2023-38180 | high | — | 9.5 | 3y ago | Microsoft .NET Core and Visual Studio contain an unspecified vulnerability that allows for denial-of-service (DoS). | |||
| CVE-2023-32435 | high | — | 9.5 | 3y ago | Apple iOS, iPadOS, macOS, and Safari WebKit contain a memory corruption vulnerability that leads to code execution when processing maliciously crafted web content. This vulnerability could impact HTM… | |||
| CVE-2023-42916 | high | — | 9.5 | 3y ago | Apple iOS, iPadOS, macOS, and Safari WebKit contain an out-of-bounds read vulnerability that may disclose sensitive information when processing maliciously crafted web content. This vulnerability cou… | |||
| CVE-2023-41993 | high | — | 9.5 | 3y ago | Apple iOS, iPadOS, macOS, and Safari WebKit contain an unspecified vulnerability that leads to code execution when processing maliciously crafted web content. This vulnerability could impact HTML par… | |||
| CVE-2023-37450 | high | — | 9.5 | 3y ago | Apple iOS, iPadOS, macOS, and Safari WebKit contain an unspecified vulnerability that leads to code execution when processing maliciously crafted web content. This vulnerability could impact HTML par… | |||
| CVE-2023-32439 | high | — | 9.5 | 3y ago | Apple iOS, iPadOS, macOS, and Safari WebKit contain a type confusion vulnerability that leads to code execution when processing maliciously crafted web content. This vulnerability could impact HTML p… | |||
| CVE-2023-32373 | high | — | 9.5 | 3y ago | Apple iOS, iPadOS, macOS, tvOS, watchOS, and Safari WebKit contain a use-after-free vulnerability that leads to code execution when processing maliciously crafted web content. This vulnerability coul… | |||
| CVE-2023-28204 | high | — | 9.5 | 3y ago | Apple iOS, iPadOS, macOS, tvOS, watchOS, and Safari WebKit contain an out-of-bounds read vulnerability that may disclose sensitive information when processing maliciously crafted web content. This vu… | |||
| CVE-2023-28205 | high | — | 9.5 | 3y ago | Apple iOS, iPadOS, macOS, and Safari WebKit contain a use-after-free vulnerability that leads to code execution when processing maliciously crafted web content. This vulnerability could impact HTML p… | |||
| CVE-2023-0266 | high | — | 9.5 | 3y ago | Linux kernel contains a use-after-free vulnerability that allows for privilege escalation to gain ring0 access from the system user. | |||
| CVE-2023-23529 | high | — | 9.5 | 3y ago | Apple iOS, MacOS, Safari and iPadOS WebKit contain a type confusion vulnerability that leads to code execution when processing maliciously crafted web content. This vulnerability could impact HTML pa… | |||
| CVE-2023-45249 | unknown | — | 2.5 | 2y ago | Acronis Cyber Infrastructure (ACI) allows an unauthenticated user to execute commands remotely due to the use of default passwords. | |||
| CVE-2023-43208 | unknown | — | 2.5 | 2y ago | NextGen Healthcare Mirth Connect contains a deserialization of untrusted data vulnerability that allows for unauthenticated remote code execution via a specially crafted request. | |||
| CVE-2023-7028 | unknown | — | 2.5 | 2y ago | GitLab Community and Enterprise Editions contain an improper access control vulnerability. This allows an attacker to trigger password reset emails to be sent to an unverified email address to ultima… | |||
| CVE-2023-24955 | unknown | — | 2.5 | 2y ago | Microsoft SharePoint Server contains a code injection vulnerability that allows an authenticated attacker with Site Owner privileges to execute code remotely. | |||
| CVE-2023-48788 | unknown | — | 2.5 | 2y ago | Fortinet FortiClient EMS contains a SQL injection vulnerability that allows an unauthenticated attacker to execute commands as SYSTEM via specifically crafted requests. | |||
| CVE-2023-22527 | unknown | — | 2.5 | 2y ago | Atlassian Confluence Data Center and Server contain an unauthenticated OGNL template injection vulnerability that can lead to remote code execution. | |||
| CVE-2023-29357 | unknown | — | 2.5 | 2y ago | Microsoft SharePoint Server contains an unspecified vulnerability that allows an unauthenticated attacker, who has gained access to spoofed JWT authentication tokens, to use them for executing a netw… | |||
| CVE-2023-46805 | unknown | — | 2.5 | 2y ago | Ivanti Connect Secure (ICS, formerly known as Pulse Connect Secure) and Ivanti Policy Secure gateways contain an authentication bypass vulnerability in the web component that allows an attacker to ac… | |||
| CVE-2023-23752 | unknown | — | 2.5 | 2y ago | Joomla! contains an improper access control vulnerability that allows unauthorized access to webservice endpoints. | |||
| CVE-2023-7101 | unknown | — | 2.5 | 2y ago | Spreadsheet::ParseExcel contains a remote code execution vulnerability due to passing unvalidated input from a file into a string-type “eval”. Specifically, the issue stems from the evaluation of Num… | |||
| CVE-2023-49103 | unknown | — | 2.5 | 3y ago | ownCloud graphapi contains an information disclosure vulnerability that can reveal sensitive data stored in phpinfo() via GetPhpInfo.php, including administrative credentials. | |||
| CVE-2023-1671 | unknown | — | 2.5 | 3y ago | Sophos Web Appliance contains a command injection vulnerability in the warn-proceed handler that allows for remote code execution. | |||
| CVE-2023-36845 | unknown | — | 2.5 | 3y ago | Juniper Junos OS on EX Series and SRX Series contains a PHP external variable modification vulnerability that allows an unauthenticated, network-based attacker to control an important environment var… | |||
| CVE-2023-22518 | unknown | — | 2.5 | 3y ago | Atlassian Confluence Data Center and Server contain an improper authorization vulnerability that can result in significant data loss when exploited by an unauthenticated attacker. There is no impact … | |||
| CVE-2023-46747 | unknown | — | 2.5 | 3y ago | F5 BIG-IP Configuration utility contains an authentication bypass using an alternate path or channel vulnerability due to undisclosed requests that may allow an unauthenticated attacker with network … | |||
| CVE-2023-46604 | unknown | — | 2.5 | 3y ago | Apache ActiveMQ contains a deserialization of untrusted data vulnerability that may allow a remote attacker with network access to a broker to run shell commands by manipulating serialized class type… | |||
| CVE-2023-20273 | unknown | — | 2.5 | 3y ago | Cisco IOS XE contains a command injection vulnerability in the web user interface. When chained with CVE-2023-20198, the attacker can leverage the new local user to elevate privilege to root and writ… | |||
| CVE-2023-4966 | unknown | — | 2.5 | 3y ago | Citrix NetScaler ADC and NetScaler Gateway contain a buffer overflow vulnerability that allows for sensitive information disclosure when configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, … | |||
| CVE-2023-20198 | unknown | — | 2.5 | 3y ago | Cisco IOS XE Web UI contains a privilege escalation vulnerability in the web user interface that could allow a remote, unauthenticated attacker to create an account with privilege level 15 access. Th… | |||
| CVE-2023-22515 | unknown | — | 2.5 | 3y ago | Atlassian Confluence Data Center and Server contains a broken access control vulnerability that allows an attacker to create unauthorized Confluence administrator accounts and access Confluence. | |||
| CVE-2023-40044 | unknown | — | 2.5 | 3y ago | Progress WS_FTP Server contains a deserialization of untrusted data vulnerability in the Ad Hoc Transfer module that allows an authenticated attacker to execute remote commands on the underlying oper… | |||
| CVE-2023-42793 | unknown | — | 2.5 | 3y ago | JetBrains TeamCity contains an authentication bypass vulnerability that allows for remote code execution on TeamCity Server. | |||
| CVE-2023-38831 | unknown | — | 2.5 | 3y ago | RARLAB WinRAR contains an unspecified vulnerability that allows an attacker to execute code when a user attempts to view a benign file within a ZIP archive. | |||
| CVE-2023-38035 | unknown | — | 2.5 | 3y ago | Ivanti Sentry, formerly known as MobileIron Sentry, contains an authentication bypass vulnerability that may allow an attacker to bypass authentication controls on the administrative interface due to… | |||
| CVE-2023-3519 | unknown | — | 2.5 | 3y ago | Citrix NetScaler ADC and NetScaler Gateway contains a code injection vulnerability that allows for unauthenticated remote code execution. | |||
| CVE-2023-36874 | unknown | — | 2.5 | 3y ago | Microsoft Windows Error Reporting Service contains an unspecified vulnerability that allows for privilege escalation. | |||
| CVE-2023-33246 | unknown | — | 2.5 | 3y ago | Several components of Apache RocketMQ, including NameServer, Broker, and Controller, are exposed to the extranet and lack permission verification. An attacker can exploit this vulnerability by using … | |||
| CVE-2023-20887 | unknown | — | 2.5 | 3y ago | VMware Aria Operations for Networks (formerly vRealize Network Insight) contains a command injection vulnerability that allows a malicious actor with network access to perform an attack resulting in … | |||
| CVE-2023-34362 | unknown | — | 2.5 | 3y ago | Progress MOVEit Transfer contains a SQL injection vulnerability that could allow an unauthenticated attacker to gain unauthorized access to MOVEit Transfer's database. Depending on the database engin… | |||
| CVE-2023-28771 | unknown | — | 2.5 | 3y ago | Zyxel ATP, USG FLEX, VPN, and ZyWALL/USG firewalls allow for improper error message handling which could allow an unauthenticated attacker to execute OS commands remotely by sending crafted packets t… | |||
| CVE-2023-2868 | unknown | — | 2.5 | 3y ago | Barracuda Email Security Gateway (ESG) appliance contains an improper input validation vulnerability of a user-supplied .tar file, leading to remote command injection. | |||
| CVE-2023-32315 | unknown | — | 2.5 | 3y ago | Ignite Realtime Openfire contains a path traversal vulnerability that allows an unauthenticated attacker to access restricted pages in the Openfire Admin Console reserved for administrative users. | |||
| CVE-2023-29336 | unknown | — | 2.5 | 3y ago | Microsoft Win32k contains an unspecified vulnerability that allows for privilege escalation up to SYSTEM privileges. | |||
| CVE-2023-21839 | unknown | — | 2.5 | 3y ago | Oracle WebLogic Server contains an unspecified vulnerability that allows an unauthenticated attacker with network access via T3, IIOP, to compromise Oracle WebLogic Server. | |||
| CVE-2023-1389 | unknown | — | 2.5 | 3y ago | TP-Link Archer AX-21 contains a command injection vulnerability that allows for remote code execution. | |||
| CVE-2023-27524 | unknown | — | 2.5 | 3y ago | Apache Superset contains an insecure default initialization of a resource vulnerability that allows an attacker to authenticate and access unauthorized resources on installations that have not altere… | |||
| CVE-2023-28432 | unknown | — | 2.5 | 3y ago | MinIO contains a vulnerability in a cluster deployment where MinIO returns all environment variables, which allows for information disclosure. | |||
| CVE-2023-27350 | unknown | — | 2.5 | 3y ago | PaperCut MF/NG contains an improper access control vulnerability within the SetupCompleted class that allows authentication bypass and code execution in the context of system. | |||
| CVE-2023-28252 | unknown | — | 2.5 | 3y ago | Microsoft Windows Common Log File System (CLFS) driver contains an unspecified vulnerability that allows for privilege escalation. | |||
| CVE-2023-26360 | unknown | — | 2.5 | 3y ago | Adobe ColdFusion contains a deserialization of untrusted data vulnerability that allows for remote code execution. | |||
| CVE-2023-0669 | unknown | — | 2.5 | 3y ago | Fortra (formerly, HelpSystems) GoAnywhere MFT contains a pre-authentication remote code execution vulnerability in the License Response Servlet due to deserializing an attacker-controlled object. | |||
| CVE-2023-22952 | unknown | — | 2.5 | 3y ago | Multiple SugarCRM products contain a remote code execution vulnerability in the EmailTemplates. Using a specially crafted request, custom PHP code can be injected through the EmailTemplates. | |||
| CVE-2023-27351 | unknown | — | 1.5 | 2mo ago | PaperCut NG/MF contains an improper authentication vulnerability that could allow remote attackers to bypass authentication on affected installations via the SecurityRequestFilter class. | |||
| CVE-2023-21529 | unknown | — | 1.5 | 2mo ago | Microsoft Exchange Server contains a deserialization of untrusted data that allows an authenticated attacker to achieve remote code execution. | |||
| CVE-2023-36424 | unknown | — | 1.5 | 2mo ago | Microsoft Windows Common Log File System Driver contains an out-of-bounds read vulnerability that could allow a threat actor for privileges escalation | |||
| CVE-2023-41974 | unknown | — | 1.5 | 3mo ago | Apple iOS and iPadOS contain a use-after-free vulnerability. An app may be able to execute arbitrary code with kernel privileges. | |||
| CVE-2023-52163 | unknown | — | 1.5 | 5mo ago | Digiever DS-2105 Pro contains a missing authorization vulnerability which could allow for command injection via time_tzsetup.cgi. | |||
| CVE-2023-50224 | unknown | — | 1.5 | 9mo ago | TP-Link TL-WR841N contains an authentication bypass by spoofing vulnerability within the httpd service, which listens on TCP port 80 by default, leading to the disclose of stored credentials. The imp… | |||
| CVE-2023-2533 | unknown | — | 1.5 | 10mo ago | PaperCut NG/MF contains a cross-site request forgery (CSRF) vulnerability, which, under specific conditions, could potentially enable an attacker to alter security settings or execute arbitrary code. | |||
| CVE-2023-33538 | unknown | — | 1.5 | 1y ago | TP-Link TL-WR940N V2/V4, TL-WR841N V8/V10, and TL-WR740N V1/V2 contain a command injection vulnerability via the component /userRpm/WlanNetworkRpm. The impacted products could be end-of-life (EoL) an… | |||
| CVE-2023-39780 | unknown | — | 1.5 | 1y ago | ASUS RT-AX55 devices contain an OS command injection vulnerability that could allow a remote, authenticated attacker to execute arbitrary commands. As represented by CVE-2023-41346. | |||
| CVE-2023-38950 | unknown | — | 1.5 | 1y ago | ZKTeco BioTime contains a path traversal vulnerability in the iclock API that allows an unauthenticated attacker to read arbitrary files via supplying a crafted payload. | |||
| CVE-2023-44221 | unknown | — | 1.5 | 1y ago | SonicWall SMA100 appliances contain an OS command injection vulnerability in the SSL-VPN management interface that allows a remote, authenticated attacker with administrative privilege to inject arbi… | |||
| CVE-2023-20118 | unknown | — | 1.5 | 1y ago | Multiple Cisco Small Business RV Series Routers contains a command injection vulnerability in the web-based management interface. Successful exploitation could allow an authenticated, remote attacker… | |||
| CVE-2023-34192 | unknown | — | 1.5 | 1y ago | Synacor Zimbra Collaboration Suite (ZCS) contains a cross-site scripting (XSS) vulnerability that allows a remote authenticated attacker to execute arbitrary code via a crafted script to the /h/autoS… | |||
| CVE-2023-48365 | unknown | — | 1.5 | 1y ago | Qlik Sense contains an HTTP tunneling vulnerability that allows an attacker to escalate privileges and execute HTTP requests on the backend server hosting the software. | |||
| CVE-2023-45727 | unknown | — | 1.5 | 2y ago | North Grid Proself Enterprise/Standard, Gateway, and Mail Sanitize contain an improper restriction of XML External Entity (XXE) reference vulnerability, which could allow a remote, unauthenticated at… | |||
| CVE-2023-28461 | unknown | — | 1.5 | 2y ago | Array Networks AG and vxAG ArrayOS contain a missing authentication for critical function vulnerability that allows an attacker to read local files and execute code on the SSL VPN gateway. | |||
| CVE-2023-25280 | unknown | — | 1.5 | 2y ago | D-Link DIR-820 routers contain an OS command injection vulnerability that allows a remote, unauthenticated attacker to escalate privileges to root via a crafted payload with the ping_addr parameter t… | |||
| CVE-2023-21237 | unknown | — | 1.5 | 2y ago | Android Pixel contains a vulnerability in the Framework component, where the UI may be misleading or insufficient, providing a means to hide a foreground service notification. This could enable a loc… | |||
| CVE-2023-29360 | unknown | — | 1.5 | 2y ago | Microsoft Streaming Service contains an untrusted pointer dereference vulnerability that allows for privilege escalation, enabling a local attacker to gain SYSTEM privileges. | |||
| CVE-2023-43770 | unknown | — | 1.5 | 2y ago | Roundcube Webmail contains a persistent cross-site scripting (XSS) vulnerability that can lead to information disclosure via malicious link references in plain/text messages. | |||
| CVE-2023-4762 | unknown | — | 1.5 | 2y ago | Google Chromium V8 contains a type confusion vulnerability that allows a remote attacker to execute code via a crafted HTML page. This vulnerability could affect multiple web browsers that utilize Ch… | |||
| CVE-2023-34048 | unknown | — | 1.5 | 2y ago | VMware vCenter Server contains an out-of-bounds write vulnerability in the implementation of the DCERPC protocol that allows an attacker to conduct remote code execution. | |||
| CVE-2023-35082 | unknown | — | 1.5 | 2y ago | Ivanti Endpoint Manager Mobile (EPMM) and MobileIron Core contain an authentication bypass vulnerability that allows unauthorized users to access restricted functionality or resources of the applicat… | |||
| CVE-2023-6549 | unknown | — | 1.5 | 2y ago | Citrix NetScaler ADC and NetScaler Gateway contain a buffer overflow vulnerability that allows for a denial-of-service when configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or… | |||
| CVE-2023-6548 | unknown | — | 1.5 | 2y ago | Citrix NetScaler ADC and NetScaler Gateway contain a code injection vulnerability that allows for authenticated remote code execution on the management interface with access to NSIP, CLIP, or SNIP. | |||
| CVE-2023-38203 | unknown | — | 1.5 | 2y ago | Adobe ColdFusion contains a deserialization of untrusted data vulnerability that allows for code execution. | |||
| CVE-2023-29300 | unknown | — | 1.5 | 2y ago | Adobe ColdFusion contains a deserialization of untrusted data vulnerability that allows for code execution. | |||
| CVE-2023-41990 | unknown | — | 1.5 | 2y ago | Apple iOS, iPadOS, macOS, tvOS, and watchOS contain an unspecified vulnerability that allows for code execution when processing a font file. | |||
| CVE-2023-7024 | unknown | — | 1.5 | 2y ago | Google Chromium WebRTC, an open-source project providing web browsers with real-time communication, contains a heap buffer overflow vulnerability that allows a remote attacker to potentially exploit … | |||
| CVE-2023-49897 | unknown | — | 1.5 | 3y ago | FXC AE1021 and AE1021PE contain an OS command injection vulnerability that allows authenticated users to execute commands via a network. | |||
| CVE-2023-47565 | unknown | — | 1.5 | 3y ago | QNAP VioStar NVR contains an OS command injection vulnerability that allows authenticated users to execute commands via a network. | |||
| CVE-2023-6448 | unknown | — | 1.5 | 3y ago | Unitronics Vision Series PLCs and HMIs ship with an insecure default password, which if left unchanged, can allow attackers to execute remote commands. | |||
| CVE-2023-41266 | unknown | — | 1.5 | 3y ago | Qlik Sense contains a path traversal vulnerability that allows a remote, unauthenticated attacker to create an anonymous session by sending maliciously crafted HTTP requests. This anonymous session c… | |||
| CVE-2023-41265 | unknown | — | 1.5 | 3y ago | Qlik Sense contains an HTTP tunneling vulnerability that allows an attacker to escalate privileges and execute HTTP requests on the backend server hosting the software. | |||
| CVE-2023-33106 | unknown | — | 1.5 | 3y ago | Multiple Qualcomm chipsets contain a use of out-of-range pointer offset vulnerability due to memory corruption in Graphics while submitting a large list of sync points in an AUX command to the IOCTL_… | |||
| CVE-2023-33063 | unknown | — | 1.5 | 3y ago | Multiple Qualcomm chipsets contain a use-after-free vulnerability due to memory corruption in DSP Services during a remote call from HLOS to DSP. | |||
| CVE-2023-33107 | unknown | — | 1.5 | 3y ago | Multiple Qualcomm chipsets contain an integer overflow vulnerability due to memory corruption in Graphics Linux while assigning shared virtual memory region during IOCTL call. | |||
| CVE-2023-6345 | unknown | — | 1.5 | 3y ago | Google Chromium Skia contains an integer overflow vulnerability that allows a remote attacker, who has compromised the renderer process, to potentially perform a sandbox escape via a malicious file. … | |||
| CVE-2023-36584 | unknown | — | 1.5 | 3y ago | Microsoft Windows Mark of the Web (MOTW) contains a security feature bypass vulnerability resulting in a limited loss of integrity and availability of security features. | |||
| CVE-2023-36036 | unknown | — | 1.5 | 3y ago | Microsoft Windows Cloud Files Mini Filter Driver contains a privilege escalation vulnerability that could allow an attacker to gain SYSTEM privileges. |