CVEs from 2023
Total
6,100
critical
critical 240
high
high 1,530
medium
medium 1,393
low
low 32
% Critical
3.9%
% with KEV
2.7%
% with exploit
3.5%
Top products
- office 29
- office_long_term_servicing_channel 15
- 365_apps 14
- ftmg-esr50sxx 8
- ftmg-esn40sxx 8
- ftmg-esd25axx 8
- ftmg-esr40sxx 8
- ftmg-esd15axx 8
| CVE | Severity | CVSS | Risk | Flags | OS | Vendor | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2023-4061 | unknown | — | — | 3y ago | wildfly-core Exposure of Sensitive Information to an Unauthorized Actor vulnerability | |||
| CVE-2023-46244 | unknown | — | — | 3y ago | XWiki Platform privilege escalation from script right to programming right through title displayer | |||
| CVE-2023-46243 | unknown | — | — | 3y ago | XWiki Platform vulnerable to privilege escalation and remote code execution via the edit action | |||
| CVE-2023-46242 | unknown | — | — | 3y ago | XWiki Platform vulnerable to remote code execution via the edit action because it lacks CSRF token | |||
| CVE-2023-4043 | unknown | — | — | 3y ago | Eclipse Parsson Denial of Service vulnerability | |||
| CVE-2023-5763 | unknown | — | — | 3y ago | Eclipse Glassfish remote code execution issue | |||
| CVE-2023-43665 | unknown | — | — | 3y ago | In Django 3.2 before 3.2.22, 4.1 before 4.1.12, and 4.2 before 4.2.6, the django.utils.text.Truncator chars() and words() methods (when used with html=True) are subject to a potential DoS (denial of … | |||
| CVE-2023-41164 | unknown | — | — | 3y ago | In Django 3.2 before 3.2.21, 4.1 before 4.1.11, and 4.2 before 4.2.5, django.utils.encoding.uri_to_iri() is subject to a potential DoS (denial of service) attack via certain inputs with a very large … | |||
| CVE-2023-31579 | unknown | — | — | 3y ago | Dromara Lamp-Cloud Use of Hard-coded Cryptographic Key | |||
| CVE-2023-46695 | unknown | — | — | 3y ago | An issue was discovered in Django 3.2 before 3.2.23, 4.1 before 4.1.13, and 4.2 before 4.2.7. The NFKC normalization is slow on Windows. As a consequence, django.contrib.auth.forms.UsernameField is s… | |||
| CVE-2023-46129 | unknown | — | — | 3y ago | NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing. The cryptographic key handling library, nkeys, recent… | |||
| CVE-2023-46502 | unknown | — | — | 3y ago | OpenCRX allows a remote attacker to execute arbitrary code via a crafted request | |||
| CVE-2023-31417 | unknown | — | — | 3y ago | Elasticsearch allows insertion of sensitive information into log files when using deprecated URIs | |||
| CVE-2023-31419 | unknown | — | — | 3y ago | Elasticsearch vulnerable to stack overflow in the search API | |||
| CVE-2023-31418 | unknown | — | — | 3y ago | Elasticsearch vulnerable to Uncontrolled Resource Consumption | |||
| CVE-2023-45137 | unknown | — | — | 3y ago | XWiki Platform vulnerable to XSS with edit right in the create document form for existing pages | |||
| CVE-2023-45136 | unknown | — | — | 3y ago | XWiki Platform web templates vulnerable to reflected XSS in the create document form if name validation is enabled | |||
| CVE-2023-45135 | unknown | — | — | 3y ago | XWiki users can be tricked to execute scripts as the create page action doesn't display the page's title | |||
| CVE-2023-45134 | unknown | — | — | 3y ago | XWiki Platform XSS vulnerability from account in the create page form via template provider | |||
| CVE-2023-37913 | unknown | — | — | 3y ago | org.xwiki.platform:xwiki-platform-office-importer vulnerable to arbitrary server side file writing from account through office converter | |||
| CVE-2023-37912 | unknown | — | — | 3y ago | XWiki Rendering's footnote macro vulnerable to privilege escalation via the footnote macro | |||
| CVE-2023-37911 | unknown | — | — | 3y ago | org.xwiki.platform:xwiki-platform-oldcore may leak data through deleted and re-created documents | |||
| CVE-2023-37910 | unknown | — | — | 3y ago | org.xwiki.platform:xwiki-platform-attachment-api vulnerable to Missing Authorization on Attachment Move | |||
| CVE-2023-37909 | unknown | — | — | 3y ago | Privilege escalation (PR)/remote code execution from account through Menu.UIExtensionSheet | |||
| CVE-2023-37908 | unknown | — | — | 3y ago | org.xwiki.rendering:xwiki-rendering-xml Improper Neutralization of Invalid Characters in Identifiers in Web Pages vulnerability | |||
| CVE-2023-5752 | unknown | — | — | 3y ago | When installing a package from a Mercurial VCS URL (ie "pip install hg+...") with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to th… | |||
| CVE-2023-46655 | unknown | — | — | 3y ago | Jenkins CloudBees CD Plugin vulnerable to arbitrary file read | |||
| CVE-2023-46656 | unknown | — | — | 3y ago | Jenkins Multibranch Scan Webhook Trigger Plugin uses non-constant time webhook token comparison | |||
| CVE-2023-46657 | unknown | — | — | 3y ago | Jenkins Gogs Plugin uses non-constant time webhook token comparison | |||
| CVE-2023-46650 | unknown | — | — | 3y ago | Stored XSS vulnerability in Jenkins GitHub Plugin | |||
| CVE-2023-46660 | unknown | — | — | 3y ago | Non-constant time webhook token hash comparison in Jenkins Zanata Plugin | |||
| CVE-2023-46654 | unknown | — | — | 3y ago | Jenkins CloudBees CD Plugin vulnerable to arbitrary file deletion | |||
| CVE-2023-46658 | unknown | — | — | 3y ago | Jenkins MSTeams Webhook Trigger Plugin uses non-constant time webhook token comparison | |||
| CVE-2023-46651 | unknown | — | — | 3y ago | Jenkins Warnings Plugin exposures system-scoped credentials | |||
| CVE-2023-46659 | unknown | — | — | 3y ago | Jenkins Edgewall Trac Plugin vulnerable to Stored XSS | |||
| CVE-2023-46653 | unknown | — | — | 3y ago | Jenkins lambdatest-automation Plugin may expose Credentials access token | |||
| CVE-2023-46652 | unknown | — | — | 3y ago | Jenkins lambdatest-automation Plugin missing permission check | |||
| CVE-2023-44794 | unknown | — | — | 3y ago | SaToken privilege escalation vulnerability | |||
| CVE-2023-43961 | unknown | — | — | 3y ago | SaToken authentication bypass vulnerability | |||
| CVE-2023-31581 | unknown | — | — | 3y ago | Sureness uses hardcoded key | |||
| CVE-2023-31582 | unknown | — | — | 3y ago | jose4j uses weak cryptographic algorithm | |||
| CVE-2023-31580 | unknown | — | — | 3y ago | light-oauth2 missing public key verification | |||
| CVE-2023-43795 | unknown | — | — | 3y ago | WPS Server Side Request Forgery vulnerability | |||
| CVE-2023-41339 | unknown | — | — | 3y ago | Unsecured WMS dynamic styling sld=<url> parameter affords blind unauthenticated SSRF | |||
| CVE-2023-46122 | unknown | — | — | 3y ago | sbt vulnerable to arbitrary file write via archive extraction (Zip Slip) | |||
| CVE-2023-46120 | unknown | — | — | 3y ago | RabbitMQ Java client's Lack of Message Size Limitation leads to Remote DoS Attack | |||
| CVE-2023-45805 | unknown | — | — | 3y ago | pdm is a Python package and dependency manager supporting the latest PEP standards. It's possible to craft a malicious `pdm.lock` file that could allow e.g. an insider or a malicious open source proj… | |||
| CVE-2023-44483 | unknown | — | — | 3y ago | Apache Santuario - XML Security for Java are vulnerable to private key disclosure | |||
| CVE-2023-45279 | unknown | — | — | 3y ago | Yamcs Cross-site Scripting vulnerability | |||
| CVE-2023-45280 | unknown | — | — | 3y ago | Yamcs Cross-site Scripting vulnerability | |||
| CVE-2023-44690 | unknown | — | — | 3y ago | Inadequate encryption strength in mycli 1.27.0 allows attackers to view sensitive information via /mycli/config.py | |||
| CVE-2023-45277 | unknown | — | — | 3y ago | Yamcs Path Traversal vulnerability | |||
| CVE-2023-45278 | unknown | — | — | 3y ago | Yamcs API Directory Traversal vulnerability | |||
| CVE-2023-47090 | unknown | — | — | 3y ago | NATS nats-server before 2.9.23 and 2.10.x before 2.10.2 has an authentication bypass. An implicit $G user in an authorization block can sometimes be used for unauthenticated access, even when the int… | |||
| CVE-2023-46227 | unknown | — | — | 3y ago | Apache InLong Deserialization of Untrusted Data Vulnerability | |||
| CVE-2023-25753 | unknown | — | — | 3y ago | Apache Shenyu Server Side Request Forgery vulnerability | |||
| CVE-2023-22102 | unknown | — | — | 3y ago | MySQL Connectors takeover vulnerability | |||
| CVE-2023-42627 | unknown | — | — | 3y ago | Liferay Portal and Liferay DXP Vulnerable to XSS in the Commerce Module | |||
| CVE-2023-45807 | unknown | — | — | 3y ago | OpenSearch Issue with tenant read-only permissions | |||
| CVE-2023-45669 | unknown | — | — | 3y ago | WebAuthn4J Spring Security Improper signature counter value handling | |||
| CVE-2023-45144 | unknown | — | — | 3y ago | XWiki Identity Oauth Privilege escalation (PR)/remote code execution from login screen through unescaped URL parameter | |||
| CVE-2023-44310 | unknown | — | — | 3y ago | Liferay Portal and Liferay DXP Vulnerable to XSS via the Page Tree Menu | |||
| CVE-2023-42628 | unknown | — | — | 3y ago | Liferay Portal and Liferay DXP Vulnerable to XSS in the Wiki Widget | |||
| CVE-2023-44311 | unknown | — | — | 3y ago | Liferay Portal and Liferay DXP Vulnerable to XSS via the OAuth2ProviderApplicationRedirect Class | |||
| CVE-2023-44309 | unknown | — | — | 3y ago | Liferay Portal and Liferay DXP Vulnerable to XSS in the Fragment Components | |||
| CVE-2023-42629 | unknown | — | — | 3y ago | Liferay Portal and Liferay DXP Vulnerable to Stored XSS in the Manage Vocabulary Page | |||
| CVE-2023-42497 | unknown | — | — | 3y ago | Liferay Portal and Liferay DXP Vulnerable to Reflected XSS via the Export for Translation Page | |||
| CVE-2023-45138 | unknown | — | — | 3y ago | XWiki Change Request Application UI XSS and remote code execution through change request title | |||
| CVE-2023-43666 | unknown | — | — | 3y ago | Insufficient Verification of Data Authenticity in Apache InLong | |||
| CVE-2023-43668 | unknown | — | — | 3y ago | Authorization Bypass in Apache InLong | |||
| CVE-2023-43667 | unknown | — | — | 3y ago | SQL Injection in Apache InLong | |||
| CVE-2023-44981 | unknown | — | — | 3y ago | Authorization Bypass Through User-Controlled Key vulnerability in Apache ZooKeeper | |||
| CVE-2023-36478 | unknown | — | — | 3y ago | HTTP/2 HPACK integer overflow and buffer allocation | |||
| CVE-2023-36566 | unknown | — | — | 3y ago | Microsoft Common Data Model SDK Denial of Service Vulnerability | |||
| CVE-2023-25822 | unknown | — | — | 3y ago | Denial of service vulnerability on creating a Launch with too many recursively nested elements in reportportal | |||
| CVE-2023-43643 | unknown | — | — | 3y ago | mXSS in AntiSamy | |||
| CVE-2023-45303 | unknown | — | — | 3y ago | ThingsBoard Server-Side Template Injection | |||
| CVE-2023-36820 | unknown | — | — | 3y ago | io.micronaut.security:micronaut-security-oauth2 has invalid IdTokenClaimsValidator logic on aud | |||
| CVE-2023-4586 | unknown | — | — | 3y ago | Withdrawn Advisory: Netty-handler does not validate host names by default | |||
| CVE-2023-1584 | unknown | — | — | 3y ago | Quarkus OIDC can leak both ID and access tokens | |||
| CVE-2023-44270 | unknown | — | — | 3y ago | An issue was discovered in PostCSS before 8.4.31. The vulnerability affects linters using PostCSS to parse external untrusted CSS. An attacker can prepare CSS in such a way that it will contains part… | |||
| CVE-2023-43655 | unknown | — | — | 3y ago | Composer is a dependency manager for PHP. Users publishing a composer.phar to a public web-accessible server where the composer.phar can be executed as a php file may be subject to a remote code exec… | |||
| CVE-2023-39410 | unknown | — | — | 3y ago | Apache Avro Java SDK vulnerable to Improper Input Validation | |||
| CVE-2023-3223 | unknown | — | — | 3y ago | Undertow vulnerable to denial of service | |||
| CVE-2023-43642 | unknown | — | — | 3y ago | snappy-java's missing upper bound check on chunk length can lead to Denial of Service (DoS) impact | |||
| CVE-2023-40989 | unknown | — | — | 3y ago | SQL injection in jeecgboot | |||
| CVE-2023-42810 | unknown | — | — | 3y ago | systeminformation is a System Information Library for Node.JS. Versions 5.0.0 through 5.21.6 have a SSID Command Injection Vulnerability. The problem was fixed with a parameter check in version 5.21.… | |||
| CVE-2023-43497 | unknown | — | — | 3y ago | Jenkins temporary uploaded file created with insecure permissions | |||
| CVE-2023-43502 | unknown | — | — | 3y ago | Jenkins Build Failure Analyzer Plugin Cross-Site Request Forgery vulnerability | |||
| CVE-2023-43494 | unknown | — | — | 3y ago | Jenkins does not exclude sensitive build variables from search | |||
| CVE-2023-43500 | unknown | — | — | 3y ago | Jenkins Build Failure Analyzer Plugin Cross-Site Request Forgery vulnerability | |||
| CVE-2023-43495 | unknown | — | — | 3y ago | Jenkins Cross-site Scripting vulnerability | |||
| CVE-2023-43496 | unknown | — | — | 3y ago | Jenkins temporary plugin file created with insecure permissions | |||
| CVE-2023-43498 | unknown | — | — | 3y ago | Jenkins temporary uploaded file created with insecure permissions | |||
| CVE-2023-43501 | unknown | — | — | 3y ago | Jenkins Build Failure Analyzer Plugin missing permission check | |||
| CVE-2023-34047 | unknown | — | — | 3y ago | Spring for GraphQL may be exposed to GraphQL context with values from a different session | |||
| CVE-2023-4853 | unknown | — | — | 3y ago | Quarkus HTTP vulnerable to incorrect evaluation of permissions | |||
| CVE-2023-4759 | unknown | — | — | 3y ago | Arbitrary File Overwrite in Eclipse JGit | |||
| CVE-2023-41900 | unknown | — | — | 3y ago | Jetty's OpenId Revoked authentication allows one request | |||
| CVE-2023-40167 | unknown | — | — | 3y ago | Jetty accepts "+" prefixed value in Content-Length |