CVEs from 2023
Total
6,100
critical
critical 240
high
high 1,530
medium
medium 1,393
low
low 32
% Critical
3.9%
% with KEV
2.7%
% with exploit
3.5%
Top products
- office 29
- office_long_term_servicing_channel 15
- 365_apps 14
- ftmg-esr50sxx 8
- ftmg-esn40sxx 8
- ftmg-esd25axx 8
- ftmg-esr40sxx 8
- ftmg-esd15axx 8
| CVE | Severity | CVSS | Risk | Flags | OS | Vendor | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2023-40346 | unknown | — | — | 3y ago | Jenkins Shortcut Job Plugin stored cross-site scripting vulnerability | |||
| CVE-2023-40343 | unknown | — | — | 3y ago | Jenkins Tuleap Authentication Plugin non-constant time token comparison | |||
| CVE-2023-40336 | unknown | — | — | 3y ago | Jenkins Folders Plugin cross-site request forgery vulnerability | |||
| CVE-2023-40338 | unknown | — | — | 3y ago | Jenkins Folders Plugin information disclosure vulnerability | |||
| CVE-2023-38889 | unknown | — | — | 3y ago | Alluxio vulnerable to arbitrary code execution | |||
| CVE-2023-40312 | unknown | — | — | 3y ago | OpenNMS vulnerable to Cross-site Scripting | |||
| CVE-2023-40311 | unknown | — | — | 3y ago | OpenNMS vulnerable to Cross-site Scripting | |||
| CVE-2023-0871 | unknown | — | — | 3y ago | OpenNMS Horizon XXE Injection Vulnerability | |||
| CVE-2023-3894 | unknown | — | — | 3y ago | Denial of service in jackson-dataformat-toml | |||
| CVE-2023-36480 | unknown | — | — | 3y ago | Aerospike Java Client vulnerable to unsafe deserialization of server responses | |||
| CVE-2023-4136 | unknown | — | — | 3y ago | Cross-site Scripting (XSS) in CrafterCMS | |||
| CVE-2023-3426 | unknown | — | — | 3y ago | Liferay Portal and Liferay DXP Organization Selector Does Not Check User Permissions | |||
| CVE-2023-36542 | unknown | — | — | 3y ago | Apache NiFi Code Injection vulnerability | |||
| CVE-2023-39020 | unknown | — | — | 3y ago | Code injection in stanford-parser | |||
| CVE-2023-39015 | unknown | — | — | 3y ago | Code injection in webmagic-core | |||
| CVE-2023-39013 | unknown | — | — | 3y ago | Code injection in Duke | |||
| CVE-2023-39022 | unknown | — | — | 3y ago | Code injection in oscore | |||
| CVE-2023-39021 | unknown | — | — | 3y ago | Code injection in wix-embedded-mysql | |||
| CVE-2023-37754 | unknown | — | — | 3y ago | Code injection in PowerJob | |||
| CVE-2023-38992 | unknown | — | — | 3y ago | SQL injection in jeecg-boot | |||
| CVE-2023-39010 | unknown | — | — | 3y ago | Code injection in BoofCV | |||
| CVE-2023-3990 | unknown | — | — | 3y ago | Cross-site Scripting in Mingsoft MCMS | |||
| CVE-2023-38509 | unknown | — | — | 3y ago | Obfuscated email addresses should not be sorted | |||
| CVE-2023-3442 | unknown | — | — | 3y ago | Missing authorization in Jenkins Plug-in for ServiceNow | |||
| CVE-2023-3414 | unknown | — | — | 3y ago | Credential leakage in Jenkins Plug-in for ServiceNow | |||
| CVE-2023-39151 | unknown | — | — | 3y ago | Jenkins Stored Cross-site Scripting vulnerability | |||
| CVE-2023-39154 | unknown | — | — | 3y ago | Incorrect permission checks in Qualys Web App Scanning Connector Plugin allow capturing credentials | |||
| CVE-2023-39152 | unknown | — | — | 3y ago | Incorrect control flow in Jenkins Gradle Plugin breaks credentials masking in the build log | |||
| CVE-2023-39155 | unknown | — | — | 3y ago | Secret displayed without masking by Chef Identity Plugin | |||
| CVE-2023-39156 | unknown | — | — | 3y ago | CSRF vulnerability in Bazaar Plugin | |||
| CVE-2023-39153 | unknown | — | — | 3y ago | CSRF vulnerability in GitLab Authentication Plugin | |||
| CVE-2023-38647 | unknown | — | — | 3y ago | Deserialization vulnerability in Helix workflow and REST | |||
| CVE-2023-38435 | unknown | — | — | 3y ago | Cross-site Scripting in healthcheck webconsole plugin | |||
| CVE-2023-38493 | unknown | — | — | 3y ago | Paths contain matrix variables bypass decorators | |||
| CVE-2023-37460 | unknown | — | — | 3y ago | Arbitrary File Creation in AbstractUnArchiver | |||
| CVE-2023-37895 | unknown | — | — | 3y ago | Remote code execution in Apache Jackrabbit | |||
| CVE-2023-3637 | unknown | — | — | 3y ago | An uncontrolled resource consumption flaw was found in openstack-neutron. This flaw allows a remote authenticated user to query a list of security groups for an invalid project. This issue creates re… | |||
| CVE-2023-35088 | unknown | — | — | 3y ago | SQL injection in audit endpoint | |||
| CVE-2023-34434 | unknown | — | — | 3y ago | JDBC URL bypassing by allowLoadLocalInfileInPath param | |||
| CVE-2023-34189 | unknown | — | — | 3y ago | Apache InLong: General user can delete and update process | |||
| CVE-2023-34478 | unknown | — | — | 3y ago | Path Traversal in Apache Shiro | |||
| CVE-2023-3815 | unknown | — | — | 3y ago | RuoYi vulnerable to Cross-site Scripting | |||
| CVE-2023-37602 | unknown | — | — | 3y ago | Alkacon OpenCMS arbitrary file upload vulnerability | |||
| CVE-2023-37471 | unknown | — | — | 3y ago | OpenAM vulnerable to user impersonation using SAMLv1.x SSO process | |||
| CVE-2023-37276 | unknown | — | — | 3y ago | aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. aiohttp v3.8.4 and earlier are bundled with llhttp v6.0.6. Vulnerable code is used by aiohttp for its HTTP request pars… | |||
| CVE-2023-33265 | unknown | — | — | 3y ago | Hazelcast Executor Services don't check client permissions properly | |||
| CVE-2023-32262 | unknown | — | — | 3y ago | Exposure of system-scoped credentials in Jenkins Dimensions Plugin | |||
| CVE-2023-32263 | unknown | — | — | 3y ago | Potential leak of credentials in Micro Focus Dimensions CM Jenkins Plugin | |||
| CVE-2023-32261 | unknown | — | — | 3y ago | Missing permission check in Jenkins Dimensions Plugin allows enumerating credentials IDs | |||
| CVE-2023-34034 | unknown | — | — | 3y ago | Access Control Bypass in Spring Security | |||
| CVE-2023-28754 | unknown | — | — | 3y ago | Apache ShardingSphere-Agent Deserialization of Untrusted Data vulnerability | |||
| CVE-2023-0105 | unknown | — | — | 3y ago | Keycloak: Impersonation and lockout possible through incorrect handling of email trust | |||
| CVE-2023-37476 | unknown | — | — | 3y ago | OpenRefine vulnerable to zip slip in project import | |||
| CVE-2023-34035 | unknown | — | — | 3y ago | Spring Security's authorization rules can be misconfigured when using multiple servlets | |||
| CVE-2023-34036 | unknown | — | — | 3y ago | Spring HATEOAS vulnerable to Improper Neutralization of HTTP Headers for Scripting Syntax | |||
| CVE-2023-26512 | unknown | — | — | 3y ago | rabbitmq-connector plugin module in Apache EventMesh platforms allows attackers to send controlled message | |||
| CVE-2023-37462 | unknown | — | — | 3y ago | org.xwiki.platform:xwiki-platform-skin-ui Eval Injection vulnerability | |||
| CVE-2023-38286 | unknown | — | — | 3y ago | Spring-boot-admin sandbox bypass via crafted HTML | |||
| CVE-2023-3635 | unknown | — | — | 3y ago | Okio Signed to Unsigned Conversion Error vulnerability | |||
| CVE-2023-37961 | unknown | — | — | 3y ago | Jenkins Assembla Auth Plugin vulnerable to cross-site request forgery | |||
| CVE-2023-37958 | unknown | — | — | 3y ago | Jenkins Sumologic Publisher Plugin vulnerable to cross-site request forgery | |||
| CVE-2023-37964 | unknown | — | — | 3y ago | Jenkins ElasticBox CI Plugin vulnerable to cross-site request forgery | |||
| CVE-2023-37963 | unknown | — | — | 3y ago | Jenkins Benchmark Evaluator Plugin missing permission check | |||
| CVE-2023-37962 | unknown | — | — | 3y ago | Jenkins Benchmark Evaluator Plugin vulnerable to cross-site request forgery | |||
| CVE-2023-37960 | unknown | — | — | 3y ago | Jenkins MathWorks Polyspace Plugin vulnerable to arbitrary file read | |||
| CVE-2023-37959 | unknown | — | — | 3y ago | Jenkins Sumologic Publisher Plugin missing permission check | |||
| CVE-2023-37965 | unknown | — | — | 3y ago | Jenkins ElasticBox CI Plugin missing permission check | |||
| CVE-2023-37945 | unknown | — | — | 3y ago | Jenkins SAML Single Sign On(SSO) Plugin missing permission check | |||
| CVE-2023-37951 | unknown | — | — | 3y ago | Jenkins mabl Plugin vulnerable to exposure of system-scooped credentials | |||
| CVE-2023-37946 | unknown | — | — | 3y ago | Jenkins OpenShift Login Plugin session fixation vulnerability | |||
| CVE-2023-37956 | unknown | — | — | 3y ago | Jenkins Test Results Aggregator Plugin missing permission check | |||
| CVE-2023-37957 | unknown | — | — | 3y ago | Jenkins Pipeline restFul API Plugin vulnerable to Cross Site Request Forgery | |||
| CVE-2023-37949 | unknown | — | — | 3y ago | Jenkins Orka by MacStadium Plugin missing permission check | |||
| CVE-2023-37952 | unknown | — | — | 3y ago | Jenkins mabl Plugin vulnerable to cross-site request forgery | |||
| CVE-2023-37954 | unknown | — | — | 3y ago | Jenkins Rebuilder Plugin vulnerable to Cross Site Request Forgery | |||
| CVE-2023-37955 | unknown | — | — | 3y ago | Jenkins Test Results Aggregator Plugin vulnerable to Cross Site Request Forgery | |||
| CVE-2023-37944 | unknown | — | — | 3y ago | Jenkins Datadog Plugin does not perform a permission check in an HTTP endpoint. | |||
| CVE-2023-37947 | unknown | — | — | 3y ago | Jenkins OpenShift Login Plugin vulnerable to Open Redirect | |||
| CVE-2023-37953 | unknown | — | — | 3y ago | Jenkins mabl Plugin missing permission check | |||
| CVE-2023-37943 | unknown | — | — | 3y ago | Jenkins Active Directory Plugin vulnerable to Active Directory credential disclosure | |||
| CVE-2023-37948 | unknown | — | — | 3y ago | Jenkins Oracle Cloud Infrastructure Compute Plugin missing SSH host key validation | |||
| CVE-2023-37942 | unknown | — | — | 3y ago | Jenkins External Monitor Job Type Plugin XML external entity vulnerability | |||
| CVE-2023-30428 | unknown | — | — | 3y ago | Apache Pulsar Broker's Rest Producer vulnerable to Incorrect Authorization | |||
| CVE-2023-31007 | unknown | — | — | 3y ago | Apache Pulsar Broker Improper Authentication vulnerability | |||
| CVE-2023-37582 | unknown | — | — | 3y ago | RocketMQ NameServer component Code Injection vulnerability | |||
| CVE-2023-37579 | unknown | — | — | 3y ago | Apache Pulsar Function Worker Incorrect Authorization vulnerability | |||
| CVE-2023-30429 | unknown | — | — | 3y ago | Apache Pulsar Incorrect Authorization vulnerability | |||
| CVE-2023-32200 | unknown | — | — | 3y ago | Apache Jena Expression Language Injection vulnerability | |||
| CVE-2023-37277 | unknown | — | — | 3y ago | XWiki Platform vulnerable to cross-site request forgery (CSRF) via the REST API | |||
| CVE-2023-34442 | unknown | — | — | 3y ago | Apache Camel information exposure vulnerability | |||
| CVE-2023-35887 | unknown | — | — | 3y ago | Apache MINA SSHD information disclosure vulnerability | |||
| CVE-2023-33008 | unknown | — | — | 3y ago | Apache Johnzon Deserialization of Untrusted Data vulnerability | |||
| CVE-2023-30601 | unknown | — | — | 3y ago | Apache Cassandra: Privilege escalation when enabling FQL/Audit logs | |||
| CVE-2023-29824 | unknown | — | — | 3y ago | A use-after-free issue was discovered in Py_FindObjects() function in SciPy versions prior to 1.8.0. NOTE: the vendor and discoverer indicate that this is not a security issue. | |||
| CVE-2023-31206 | unknown | — | — | 3y ago | Apache InLong Exposure of Resource to Wrong Sphere vulnerability | |||
| CVE-2023-31454 | unknown | — | — | 3y ago | Apache InLong vulnerable to Incorrect Permission Assignment for Critical Resource | |||
| CVE-2023-31453 | unknown | — | — | 3y ago | Apache InLong Incorrect Permission Assignment for Critical Resource Vulnerability | |||
| CVE-2023-31103 | unknown | — | — | 3y ago | Apache InLong Exposure of Resource to Wrong Sphere vulnerability | |||
| CVE-2023-31064 | unknown | — | — | 3y ago | Apache InLong has Files or Directories Accessible to External Parties | |||
| CVE-2023-31066 | unknown | — | — | 3y ago | Apache InLong has Files or Directories Accessible to External Parties in Apache InLong |