CVEs from 2023
Total
6,100
critical
critical 240
high
high 1,530
medium
medium 1,393
low
low 32
% Critical
3.9%
% with KEV
2.7%
% with exploit
3.5%
Top products
- office 29
- office_long_term_servicing_channel 15
- 365_apps 14
- ftmg-esr50sxx 8
- ftmg-esn40sxx 8
- ftmg-esd25axx 8
- ftmg-esr40sxx 8
- ftmg-esd15axx 8
| CVE | Severity | CVSS | Risk | Flags | OS | Vendor | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2023-40816 | unknown | — | — | 3y ago | Cross-site Scripting in OpenCRX | |||
| CVE-2023-40814 | unknown | — | — | 3y ago | Cross-site Scripting in OpenCRX | |||
| CVE-2023-40813 | unknown | — | — | 3y ago | Cross-site Scripting in OpenCRX | |||
| CVE-2023-40817 | unknown | — | — | 3y ago | Cross-site Scripting in OpenCRX | |||
| CVE-2023-40809 | unknown | — | — | 3y ago | Cross-site Scripting in OpenCRX | |||
| CVE-2023-40810 | unknown | — | — | 3y ago | Cross-site Scripting in OpenCRX | |||
| CVE-2023-40812 | unknown | — | — | 3y ago | Cross-site Scripting in OpenCRX | |||
| CVE-2023-47797 | unknown | — | — | 3y ago | Liferay Portal XSS with `p_l_back_url_title` on edit content page | |||
| CVE-2023-40314 | unknown | — | — | 3y ago | OpenNMS Cross-site Scripting vulnerability | |||
| CVE-2023-48222 | unknown | — | — | 3y ago | Authenticated Rundeck users can view or delete jobs they do not have authorization for. | |||
| CVE-2023-47112 | unknown | — | — | 3y ago | Authenticated users can view job names and groups they do not have authorization to view | |||
| CVE-2023-6038 | unknown | — | — | 3y ago | H2O local file inclusion vulnerability | |||
| CVE-2023-26031 | unknown | — | — | 3y ago | Apache Hadoop allows local user to gain root privileges | |||
| CVE-2023-5720 | unknown | — | — | 3y ago | Quarkus does not properly sanitize artifacts created from its use of the Gradle plugin, allowing certain build system information to remain | |||
| CVE-2023-5245 | unknown | — | — | 3y ago | Zip slip in mleap | |||
| CVE-2023-48087 | unknown | — | — | 3y ago | xxl-job-admin vulnerable to Insecure Permissions | |||
| CVE-2023-48088 | unknown | — | — | 3y ago | xxl-job-admin vulnerable to Cross Site Scripting | |||
| CVE-2023-48089 | unknown | — | — | 3y ago | xxl-job-admin vulnerable to Remote Code Execution | |||
| CVE-2023-34062 | unknown | — | — | 3y ago | In Reactor Netty HTTP Server a malicious user can send a request using a specially crafted URL that can lead to a directory traversal attack | |||
| CVE-2023-5072 | unknown | — | — | 3y ago | Java: DoS Vulnerability in JSON-JAVA | |||
| CVE-2023-47627 | unknown | — | — | 3y ago | aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. The HTTP parser in AIOHTTP has numerous problems with header parsing, which could lead to request smuggling. This parse… | |||
| CVE-2023-47641 | unknown | — | — | 3y ago | aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Affected versions of aiohttp have a security vulnerability regarding the inconsistent interpretation of the http protoc… | |||
| CVE-2023-47122 | unknown | — | — | 3y ago | Gitsign is software for keyless Git signing using Sigstore. In versions of gitsign starting with 0.6.0 and prior to 0.8.0, Rekor public keys were fetched via the Rekor API, instead of through the loc… | |||
| CVE-2023-46735 | unknown | — | — | 3y ago | Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Starting in version 6.0.0 and prior to version 6.3.8, the error message in `WebhookController` return… | |||
| CVE-2023-46734 | unknown | — | — | 3y ago | Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Starting in versions 2.0.0, 5.0.0, and 6.0.0 and prior to versions 4.4.51, 5.4.31, and 6.3.8, some Tw… | |||
| CVE-2023-46733 | unknown | — | — | 3y ago | Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Starting in versions 5.4.21 and 6.2.7 and prior to versions 5.4.31 and 6.3.8, `SessionStrategyListene… | |||
| CVE-2023-46446 | unknown | — | — | 3y ago | An issue in AsyncSSH before 2.14.1 allows attackers to control the remote end of an SSH client session via packet injection/removal and shell emulation, aka a "Rogue Session Attack." | |||
| CVE-2023-46445 | unknown | — | — | 3y ago | An issue in AsyncSSH before 2.14.1 allows attackers to control the extension info message (RFC 8308) via a man-in-the-middle attack, aka a "Rogue Extension Negotiation." | |||
| CVE-2023-46737 | unknown | — | — | 3y ago | Cosign is a sigstore signing tool for OCI containers. Cosign is susceptible to a denial of service by an attacker controlled registry. An attacker who controls a remote registry can return a high num… | |||
| CVE-2023-46732 | unknown | — | — | 3y ago | XWiki Platform vulnerable to reflected cross-site scripting through revision parameter in content menu | |||
| CVE-2023-46731 | unknown | — | — | 3y ago | XWiki Platform vulnerable to remote code execution through the section parameter in Administration as guest | |||
| CVE-2023-39913 | unknown | — | — | 3y ago | Apache UIMA Java SDK Deserialization of Untrusted Data, Improper Input Validation vulnerability | |||
| CVE-2023-4061 | unknown | — | — | 3y ago | wildfly-core Exposure of Sensitive Information to an Unauthorized Actor vulnerability | |||
| CVE-2023-46244 | unknown | — | — | 3y ago | XWiki Platform privilege escalation from script right to programming right through title displayer | |||
| CVE-2023-46243 | unknown | — | — | 3y ago | XWiki Platform vulnerable to privilege escalation and remote code execution via the edit action | |||
| CVE-2023-46242 | unknown | — | — | 3y ago | XWiki Platform vulnerable to remote code execution via the edit action because it lacks CSRF token | |||
| CVE-2023-4043 | unknown | — | — | 3y ago | Eclipse Parsson Denial of Service vulnerability | |||
| CVE-2023-5763 | unknown | — | — | 3y ago | Eclipse Glassfish remote code execution issue | |||
| CVE-2023-43665 | unknown | — | — | 3y ago | In Django 3.2 before 3.2.22, 4.1 before 4.1.12, and 4.2 before 4.2.6, the django.utils.text.Truncator chars() and words() methods (when used with html=True) are subject to a potential DoS (denial of … | |||
| CVE-2023-41164 | unknown | — | — | 3y ago | In Django 3.2 before 3.2.21, 4.1 before 4.1.11, and 4.2 before 4.2.5, django.utils.encoding.uri_to_iri() is subject to a potential DoS (denial of service) attack via certain inputs with a very large … | |||
| CVE-2023-31579 | unknown | — | — | 3y ago | Dromara Lamp-Cloud Use of Hard-coded Cryptographic Key | |||
| CVE-2023-46695 | unknown | — | — | 3y ago | An issue was discovered in Django 3.2 before 3.2.23, 4.1 before 4.1.13, and 4.2 before 4.2.7. The NFKC normalization is slow on Windows. As a consequence, django.contrib.auth.forms.UsernameField is s… | |||
| CVE-2023-46129 | unknown | — | — | 3y ago | NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing. The cryptographic key handling library, nkeys, recent… | |||
| CVE-2023-46502 | unknown | — | — | 3y ago | OpenCRX allows a remote attacker to execute arbitrary code via a crafted request | |||
| CVE-2023-31418 | unknown | — | — | 3y ago | Elasticsearch vulnerable to Uncontrolled Resource Consumption | |||
| CVE-2023-31419 | unknown | — | — | 3y ago | Elasticsearch vulnerable to stack overflow in the search API | |||
| CVE-2023-31417 | unknown | — | — | 3y ago | Elasticsearch allows insertion of sensitive information into log files when using deprecated URIs | |||
| CVE-2023-45137 | unknown | — | — | 3y ago | XWiki Platform vulnerable to XSS with edit right in the create document form for existing pages | |||
| CVE-2023-45136 | unknown | — | — | 3y ago | XWiki Platform web templates vulnerable to reflected XSS in the create document form if name validation is enabled | |||
| CVE-2023-45135 | unknown | — | — | 3y ago | XWiki users can be tricked to execute scripts as the create page action doesn't display the page's title | |||
| CVE-2023-45134 | unknown | — | — | 3y ago | XWiki Platform XSS vulnerability from account in the create page form via template provider | |||
| CVE-2023-37913 | unknown | — | — | 3y ago | org.xwiki.platform:xwiki-platform-office-importer vulnerable to arbitrary server side file writing from account through office converter | |||
| CVE-2023-37912 | unknown | — | — | 3y ago | XWiki Rendering's footnote macro vulnerable to privilege escalation via the footnote macro | |||
| CVE-2023-37911 | unknown | — | — | 3y ago | org.xwiki.platform:xwiki-platform-oldcore may leak data through deleted and re-created documents | |||
| CVE-2023-37910 | unknown | — | — | 3y ago | org.xwiki.platform:xwiki-platform-attachment-api vulnerable to Missing Authorization on Attachment Move | |||
| CVE-2023-37909 | unknown | — | — | 3y ago | Privilege escalation (PR)/remote code execution from account through Menu.UIExtensionSheet | |||
| CVE-2023-37908 | unknown | — | — | 3y ago | org.xwiki.rendering:xwiki-rendering-xml Improper Neutralization of Invalid Characters in Identifiers in Web Pages vulnerability | |||
| CVE-2023-5752 | unknown | — | — | 3y ago | When installing a package from a Mercurial VCS URL (ie "pip install hg+...") with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to th… | |||
| CVE-2023-46650 | unknown | — | — | 3y ago | Stored XSS vulnerability in Jenkins GitHub Plugin | |||
| CVE-2023-46657 | unknown | — | — | 3y ago | Jenkins Gogs Plugin uses non-constant time webhook token comparison | |||
| CVE-2023-46656 | unknown | — | — | 3y ago | Jenkins Multibranch Scan Webhook Trigger Plugin uses non-constant time webhook token comparison | |||
| CVE-2023-46660 | unknown | — | — | 3y ago | Non-constant time webhook token hash comparison in Jenkins Zanata Plugin | |||
| CVE-2023-46654 | unknown | — | — | 3y ago | Jenkins CloudBees CD Plugin vulnerable to arbitrary file deletion | |||
| CVE-2023-46659 | unknown | — | — | 3y ago | Jenkins Edgewall Trac Plugin vulnerable to Stored XSS | |||
| CVE-2023-46653 | unknown | — | — | 3y ago | Jenkins lambdatest-automation Plugin may expose Credentials access token | |||
| CVE-2023-46651 | unknown | — | — | 3y ago | Jenkins Warnings Plugin exposures system-scoped credentials | |||
| CVE-2023-46658 | unknown | — | — | 3y ago | Jenkins MSTeams Webhook Trigger Plugin uses non-constant time webhook token comparison | |||
| CVE-2023-46652 | unknown | — | — | 3y ago | Jenkins lambdatest-automation Plugin missing permission check | |||
| CVE-2023-46655 | unknown | — | — | 3y ago | Jenkins CloudBees CD Plugin vulnerable to arbitrary file read | |||
| CVE-2023-44794 | unknown | — | — | 3y ago | SaToken privilege escalation vulnerability | |||
| CVE-2023-43961 | unknown | — | — | 3y ago | SaToken authentication bypass vulnerability | |||
| CVE-2023-31580 | unknown | — | — | 3y ago | light-oauth2 missing public key verification | |||
| CVE-2023-31582 | unknown | — | — | 3y ago | jose4j uses weak cryptographic algorithm | |||
| CVE-2023-31581 | unknown | — | — | 3y ago | Sureness uses hardcoded key | |||
| CVE-2023-43795 | unknown | — | — | 3y ago | WPS Server Side Request Forgery vulnerability | |||
| CVE-2023-41339 | unknown | — | — | 3y ago | Unsecured WMS dynamic styling sld=<url> parameter affords blind unauthenticated SSRF | |||
| CVE-2023-46122 | unknown | — | — | 3y ago | sbt vulnerable to arbitrary file write via archive extraction (Zip Slip) | |||
| CVE-2023-46120 | unknown | — | — | 3y ago | RabbitMQ Java client's Lack of Message Size Limitation leads to Remote DoS Attack | |||
| CVE-2023-45805 | unknown | — | — | 3y ago | pdm is a Python package and dependency manager supporting the latest PEP standards. It's possible to craft a malicious `pdm.lock` file that could allow e.g. an insider or a malicious open source proj… | |||
| CVE-2023-44483 | unknown | — | — | 3y ago | Apache Santuario - XML Security for Java are vulnerable to private key disclosure | |||
| CVE-2023-45279 | unknown | — | — | 3y ago | Yamcs Cross-site Scripting vulnerability | |||
| CVE-2023-45280 | unknown | — | — | 3y ago | Yamcs Cross-site Scripting vulnerability | |||
| CVE-2023-44690 | unknown | — | — | 3y ago | Inadequate encryption strength in mycli 1.27.0 allows attackers to view sensitive information via /mycli/config.py | |||
| CVE-2023-45278 | unknown | — | — | 3y ago | Yamcs API Directory Traversal vulnerability | |||
| CVE-2023-45277 | unknown | — | — | 3y ago | Yamcs Path Traversal vulnerability | |||
| CVE-2023-47090 | unknown | — | — | 3y ago | NATS nats-server before 2.9.23 and 2.10.x before 2.10.2 has an authentication bypass. An implicit $G user in an authorization block can sometimes be used for unauthenticated access, even when the int… | |||
| CVE-2023-46227 | unknown | — | — | 3y ago | Apache InLong Deserialization of Untrusted Data Vulnerability | |||
| CVE-2023-25753 | unknown | — | — | 3y ago | Apache Shenyu Server Side Request Forgery vulnerability | |||
| CVE-2023-22102 | unknown | — | — | 3y ago | MySQL Connectors takeover vulnerability | |||
| CVE-2023-42627 | unknown | — | — | 3y ago | Liferay Portal and Liferay DXP Vulnerable to XSS in the Commerce Module | |||
| CVE-2023-45807 | unknown | — | — | 3y ago | OpenSearch Issue with tenant read-only permissions | |||
| CVE-2023-45669 | unknown | — | — | 3y ago | WebAuthn4J Spring Security Improper signature counter value handling | |||
| CVE-2023-45144 | unknown | — | — | 3y ago | XWiki Identity Oauth Privilege escalation (PR)/remote code execution from login screen through unescaped URL parameter | |||
| CVE-2023-44311 | unknown | — | — | 3y ago | Liferay Portal and Liferay DXP Vulnerable to XSS via the OAuth2ProviderApplicationRedirect Class | |||
| CVE-2023-44310 | unknown | — | — | 3y ago | Liferay Portal and Liferay DXP Vulnerable to XSS via the Page Tree Menu | |||
| CVE-2023-42628 | unknown | — | — | 3y ago | Liferay Portal and Liferay DXP Vulnerable to XSS in the Wiki Widget | |||
| CVE-2023-44309 | unknown | — | — | 3y ago | Liferay Portal and Liferay DXP Vulnerable to XSS in the Fragment Components | |||
| CVE-2023-42629 | unknown | — | — | 3y ago | Liferay Portal and Liferay DXP Vulnerable to Stored XSS in the Manage Vocabulary Page | |||
| CVE-2023-42497 | unknown | — | — | 3y ago | Liferay Portal and Liferay DXP Vulnerable to Reflected XSS via the Export for Translation Page | |||
| CVE-2023-45138 | unknown | — | — | 3y ago | XWiki Change Request Application UI XSS and remote code execution through change request title |