VIR Vulnerability Intelligence Relay

CVEs from 2023

6,099 normalized CVEs published or assigned in this year.

Total
6,099
critical
critical 240
high
high 1,530
medium
medium 1,393
low
low 32
% Critical
3.9%
% with KEV
2.7%
% with exploit
3.5%

Top vendors

Top products

  • office 29
  • office_long_term_servicing_channel 15
  • 365_apps 14
  • ftmg-esr50sxx 8
  • ftmg-esn40sxx 8
  • ftmg-esd25axx 8
  • ftmg-esr40sxx 8
  • ftmg-esd15axx 8

Top packages

Severitycriticalhighmediumlowunknown
0
KEVHas exploit
Reset
CVE Severity CVSS Risk Flags OS Vendor Published Description
CVE-2023-29528 unknown 3y ago Cross-site Scripting in org.xwiki.commons:xwiki-commons-xml
CVE-2023-25601 unknown 3y ago Apache DolphinScheduler's python gateway suffered from improper authentication
CVE-2023-29926 unknown 3y ago PowerJob vulnerable to remote code execution
CVE-2023-29922 unknown 3y ago PowerJob vulnerable to Incorrect Access Control via the create user/save interface.
CVE-2023-20862 unknown 3y ago Spring Security logout not clearing security context
CVE-2023-29510 unknown 3y ago Code injection via unescaped translations in xwiki-platform
CVE-2023-29197 unknown 3y ago guzzlehttp/psr7 is a PSR-7 HTTP message library implementation in PHP. Affected versions are subject to improper header parsing. An attacker could sneak in a newline (\n) into both the header names a…
CVE-2023-26048 unknown 3y ago OutOfMemoryError for large multipart without filename in Eclipse Jetty
CVE-2023-29923 unknown 3y ago PowerJob vulnerable to Insecure Permissions
CVE-2023-29921 unknown 3y ago PowerJob Incorrect Access Control vulnerability
CVE-2023-26049 unknown 3y ago Eclipse Jetty's cookie parsing of quoted values can exfiltrate values from other cookies
CVE-2023-24831 unknown 3y ago Apache IoTDB Grafana Connector vulnerable to Improper Authentication
CVE-2023-22946 unknown 3y ago Apache Spark vulnerable to Improper Privilege Management
CVE-2023-30535 unknown 3y ago Snowflake JDBC vulnerable to command injection via SSO URL authentication
CVE-2023-20863 unknown 3y ago Spring Framework vulnerable to denial of service
CVE-2023-20866 unknown 3y ago Spring Session session ID can be logged to the standard output stream
CVE-2023-29207 unknown 3y ago Improper Neutralization of Script-Related HTML Tags (XSS) in the LiveTable Macro
CVE-2023-29203 unknown 3y ago Unauthenticated user can have information about hidden users on subwikis through uorgsuggest.vm
CVE-2023-29206 unknown 3y ago org.xwiki.platform:xwiki-platform-skin-skinx vulnerable to basic Cross-site Scripting by exploiting JSX or SSX plugins
CVE-2023-29205 unknown 3y ago org.xwiki.platform:xwiki-platform-rendering-xwiki vulnerable to stored cross-site scripting via HTML and raw macro
CVE-2023-29204 unknown 3y ago org.xwiki.platform:xwiki-platform-oldcore Open Redirect vulnerability
CVE-2023-29202 unknown 3y ago org.xwiki.platform:xwiki-platform-rendering-macro-rss Cross-site Scripting vulnerability
CVE-2023-29201 unknown 3y ago org.xwiki.commons:xwiki-commons-xml Cross-site Scripting vulnerability
CVE-2023-29511 unknown 3y ago xwiki-platform-administration-ui vulnerable to privilege escalation
CVE-2023-30537 unknown 3y ago org.xwiki.platform:xwiki-platform-flamingo-theme-ui vulnerable to privilege escalation
CVE-2023-29509 unknown 3y ago org.xwiki.platform:xwiki-platform-flamingo-theme-ui Eval Injection vulnerability
CVE-2023-29508 unknown 3y ago org.xwiki.platform:xwiki-platform-livedata-macro vulnerable to Basic Cross-site Scripting
CVE-2023-29507 unknown 3y ago org.xwiki.platform:xwiki-platform-oldcore makes Incorrect Use of Privileged APIs with DocumentAuthors
CVE-2023-29506 unknown 3y ago org.xwiki.platform:xwiki-platform-security-authentication-default XSS with authenticate endpoints
CVE-2023-29214 unknown 3y ago org.xwiki.platform:xwiki-platform-panels-ui Eval Injection vulnerability
CVE-2023-29213 unknown 3y ago org.xwiki.platform:xwiki-platform-logging-ui Eval Injection vulnerability
CVE-2023-29212 unknown 3y ago xwiki.platform:xwiki-platform-panels-ui Eval Injection vulnerability
CVE-2023-29211 unknown 3y ago org.xwiki.platform:xwiki-platform-wiki-ui-mainwiki Eval Injection vulnerability
CVE-2023-29210 unknown 3y ago org.xwiki.platform:xwiki-platform-notifications-ui Eval Injection vulnerability
CVE-2023-29209 unknown 3y ago org.xwiki.platform:xwiki-platform-legacy-notification-activitymacro Eval Injection vulnerability
CVE-2023-29208 unknown 3y ago org.xwiki.platform:xwiki-platform-oldcore vulnerable to data leak through deleted documents
CVE-2023-30516 unknown 3y ago Jenkins Image Tag Parameter Plugin improperly introduces option to opt out of SSL/TLS certificate validation
CVE-2023-30517 unknown 3y ago Jenkins NeuVector Vulnerability Scanner Plugin disables SSL/TLS certificate and hostname validation
CVE-2023-30519 unknown 3y ago Jenkins Quay.io trigger Plugin webhook endpoint can be accessed without authentication
CVE-2023-30515 unknown 3y ago Jenkins Thycotic DevOps Secrets Vault Plugin does not properly mask credentials
CVE-2023-30513 unknown 3y ago Jenkins Kubernetes Plugin does not properly mask credentials
CVE-2023-30518 unknown 3y ago Jenkins Thycotic Secret Server Plugin missing permissions check
CVE-2023-30514 unknown 3y ago Jenkins Azure Key Vault Plugin does not properly mask credentials
CVE-2023-30525 unknown 3y ago Jenkins Report Portal Plugin Cross-Site Request Forgery vulnerability
CVE-2023-30521 unknown 3y ago Jenkins Assembla merge request builder Plugin missing authentication to access endpoint
CVE-2023-30524 unknown 3y ago Jenkins Report Portal Plugin configuration form does not mask tokens
CVE-2023-30529 unknown 3y ago Jenkins Lucene-Search Plugin vulnerable to Cross-Site Request Forgery
CVE-2023-30523 unknown 3y ago Jenkins Report Portal Plugin allows users with Item/Extended Read permission to view tokens on Jenkins controller
CVE-2023-30527 unknown 3y ago Jenkins WSO2 Oauth Plugin stores WSO2 Oauth client secret unencrypted in global config.xml file on Jenkins controller
CVE-2023-30520 unknown 3y ago Jenkins Quay.io trigger Plugin Cross-site Scripting vulnerability
CVE-2023-30526 unknown 3y ago Jenkins Report Portal Plugin missing permissions check
CVE-2023-30528 unknown 3y ago Jenkins WSO2 Oauth Plugin does not mask the WSO2 Oauth client secret on the global configuration form
CVE-2023-30530 unknown 3y ago Jenkins Consul KV Builder Plugin stores HashiCorp Consul ACL Token unencrypted
CVE-2023-30532 unknown 3y ago Lack of authentication mechanism in Jenkins TurboScript Plugin webhook
CVE-2023-30531 unknown 3y ago Jenkins Consul KV Builder Plugin stores HashiCorp Consul ACL Token unencrypted
CVE-2023-29215 unknown 3y ago Apache Linkis JDBC EngineConn has deserialization vulnerability
CVE-2023-29216 unknown 3y ago Apache Linkis DatasourceManager module has deserialization vulnerability
CVE-2023-26120 unknown 3y ago XXL-JOB vulnerable to Cross-site Scripting
CVE-2023-29014 unknown 3y ago Goobi viewer Core Reflected Cross-Site Scripting Vulnerability Using LOGID Parameter
CVE-2023-29015 unknown 3y ago Goobi viewer Core has Cross-Site Scripting Vulnerability in User Comments
CVE-2023-29016 unknown 3y ago Goobi viewer Core has Cross-Site Scripting Vulnerability in User Nicknames
CVE-2023-25330 unknown 3y ago MyBatis-Plus vulnerable to SQL injection via TenantPlugin
CVE-2023-28840 unknown 3y ago Moby is an open source container framework developed by Docker Inc. that is distributed as Docker, Mirantis Container Runtime, and various other downstream projects/products. The Moby daemon componen…
CVE-2023-28841 unknown 3y ago Moby is an open source container framework developed by Docker Inc. that is distributed as Docker, Mirantis Container Runtime, and various other downstream projects/products. The Moby daemon componen…
CVE-2023-28842 unknown 3y ago Moby) is an open source container framework developed by Docker Inc. that is distributed as Docker, Mirantis Container Runtime, and various other downstream projects/products. The Moby daemon compone…
CVE-2023-26269 unknown 3y ago Apache James server's JMX management service vulnerable to privilege escalation by local user
CVE-2023-28675 unknown 3y ago Jenkins OctoPerf Load Testing Plugin missing permission check allows for unauthorized server connections
CVE-2023-28668 unknown 3y ago Jenkins Role-based Authorization Strategy Plugin grants permissions even after they’ve been disabled
CVE-2023-28676 unknown 3y ago Jenkins Convert To Pipeline Plugin vulnerable to cross-site request forgery
CVE-2023-28669 unknown 3y ago Jenkins JaCoCo Plugin vulnerable to Stored Cross-site Scripting
CVE-2023-28673 unknown 3y ago Jenkins OctoPerf Load Testing Plugin missing permission check allows for ID enumeration
CVE-2023-28679 unknown 3y ago Jenkins Mashup Portlets Plugin vulnerable to stored cross-site scripting
CVE-2023-28670 unknown 3y ago Jenkins Pipeline Aggregator View Plugin vulnerable to Cross-site Scripting
CVE-2023-28681 unknown 3y ago Jenkins Visual Studio Code Metrics Plugin vulnerable to XML external entity (XXE) attacks
CVE-2023-28678 unknown 3y ago Jenkins Cppcheck Plugin vulnerable to stored cross-site scripting (XSS)
CVE-2023-28672 unknown 3y ago Jenkins OctoPerf Load Testing Plugin vulnerable to credential capture
CVE-2023-28674 unknown 3y ago Jenkins OctoPerf Load Testing Plugin vulnerable to Cross-site Request Forgery
CVE-2023-28671 unknown 3y ago Jenkins OctoPerf Load Testing Plugin vulnerable to Cross-site Request Forgery
CVE-2023-28680 unknown 3y ago Jenkins Crap4J Plugin vulnerable to XML external entity (XXE) attacks
CVE-2023-28677 unknown 3y ago Jenkins Convert To Pipeline Plugin vulnerable to command injection
CVE-2023-28683 unknown 3y ago Jenkins Phabricator Differential Plugin vulnerable to XML external entity (XXE) attacks
CVE-2023-28682 unknown 3y ago Jenkins Performance Publisher Plugin vulnerable to XML external entity (XXE) attacks
CVE-2023-28684 unknown 3y ago Jenkins remote-jobs-view-plugin vulnerable to XML external entity attacks
CVE-2023-27025 unknown 3y ago RuoYi vulnerable to arbitrary file download
CVE-2023-27162 unknown 3y ago OpenAPI Generator vulnerable to Server-Side Request Forgery
CVE-2023-1784 unknown 3y ago jeecg-boot vulnerable to improper authentication
CVE-2023-28462 unknown 3y ago Payara Server allows remote attackers to load malicious code on the server once a JNDI directory scan is performed
CVE-2023-28935 unknown 3y ago Apache UIMA DUCC allows remote code execution
CVE-2023-28158 unknown 3y ago Apache Archiva vulnerable to privilege escalation via stored cross-site scripting (XSS)
CVE-2023-25722 unknown 3y ago Veracode Scan Jenkins Plugin vulnerable to information disclosure
CVE-2023-25721 unknown 3y ago Veracode Scan Jenkins Plugin vulnerable to information disclosure
CVE-2023-28326 unknown 3y ago Apache OpenMeetings missing authentication and can allow user impersonation
CVE-2023-20860 unknown 3y ago Spring Framework is vulnerable to security bypass via mvcRequestMatcher pattern mismatch
CVE-2023-28628 unknown 3y ago lambdaisland/uri `authority-regex` returns the wrong authority
CVE-2023-28640 unknown 3y ago Apiman vulnerable to permissions bypass due to missing check on API key URL
CVE-2023-27096 unknown 3y ago Hippo4j allows attacker to obtain sensitive info via ConfigVerifyController function of Tenant Management module
CVE-2023-27296 unknown 3y ago Apache InLong vulnerable to JDBC Deserialization of Untrusted Data
CVE-2023-28867 unknown 3y ago GraphQL Java vulnerable to stack consumption
CVE-2023-20859 unknown 3y ago Spring Vault vulnerable to insertion of sensitive information into a log file
CVE-2023-20861 unknown 3y ago Spring Framework vulnerable to denial of service via specially crafted SpEL expression