VIR Vulnerability Intelligence Relay

CVEs from 2023

6,091 normalized CVEs published or assigned in this year.

Total
6,091
critical
critical 240
high
high 1,530
medium
medium 1,393
low
low 32
% Critical
3.9%
% with KEV
2.7%
% with exploit
3.5%

Top vendors

Top products

  • office 29
  • office_long_term_servicing_channel 15
  • 365_apps 14
  • ftmg-esr50sxx 8
  • ftmg-esn40sxx 8
  • ftmg-esd25axx 8
  • ftmg-esr40sxx 8
  • ftmg-esd15axx 8

Top packages

Severitycriticalhighmediumlowunknown
0
KEVHas exploit
Reset
CVE Severity CVSS Risk Flags OS Vendor Published Description
CVE-2023-29509 unknown 3y ago org.xwiki.platform:xwiki-platform-flamingo-theme-ui Eval Injection vulnerability
CVE-2023-29508 unknown 3y ago org.xwiki.platform:xwiki-platform-livedata-macro vulnerable to Basic Cross-site Scripting
CVE-2023-29507 unknown 3y ago org.xwiki.platform:xwiki-platform-oldcore makes Incorrect Use of Privileged APIs with DocumentAuthors
CVE-2023-29506 unknown 3y ago org.xwiki.platform:xwiki-platform-security-authentication-default XSS with authenticate endpoints
CVE-2023-29214 unknown 3y ago org.xwiki.platform:xwiki-platform-panels-ui Eval Injection vulnerability
CVE-2023-29213 unknown 3y ago org.xwiki.platform:xwiki-platform-logging-ui Eval Injection vulnerability
CVE-2023-29212 unknown 3y ago xwiki.platform:xwiki-platform-panels-ui Eval Injection vulnerability
CVE-2023-29211 unknown 3y ago org.xwiki.platform:xwiki-platform-wiki-ui-mainwiki Eval Injection vulnerability
CVE-2023-29210 unknown 3y ago org.xwiki.platform:xwiki-platform-notifications-ui Eval Injection vulnerability
CVE-2023-29209 unknown 3y ago org.xwiki.platform:xwiki-platform-legacy-notification-activitymacro Eval Injection vulnerability
CVE-2023-29208 unknown 3y ago org.xwiki.platform:xwiki-platform-oldcore vulnerable to data leak through deleted documents
CVE-2023-30519 unknown 3y ago Jenkins Quay.io trigger Plugin webhook endpoint can be accessed without authentication
CVE-2023-30515 unknown 3y ago Jenkins Thycotic DevOps Secrets Vault Plugin does not properly mask credentials
CVE-2023-30518 unknown 3y ago Jenkins Thycotic Secret Server Plugin missing permissions check
CVE-2023-30516 unknown 3y ago Jenkins Image Tag Parameter Plugin improperly introduces option to opt out of SSL/TLS certificate validation
CVE-2023-30517 unknown 3y ago Jenkins NeuVector Vulnerability Scanner Plugin disables SSL/TLS certificate and hostname validation
CVE-2023-30513 unknown 3y ago Jenkins Kubernetes Plugin does not properly mask credentials
CVE-2023-30514 unknown 3y ago Jenkins Azure Key Vault Plugin does not properly mask credentials
CVE-2023-30525 unknown 3y ago Jenkins Report Portal Plugin Cross-Site Request Forgery vulnerability
CVE-2023-30529 unknown 3y ago Jenkins Lucene-Search Plugin vulnerable to Cross-Site Request Forgery
CVE-2023-30526 unknown 3y ago Jenkins Report Portal Plugin missing permissions check
CVE-2023-30530 unknown 3y ago Jenkins Consul KV Builder Plugin stores HashiCorp Consul ACL Token unencrypted
CVE-2023-30528 unknown 3y ago Jenkins WSO2 Oauth Plugin does not mask the WSO2 Oauth client secret on the global configuration form
CVE-2023-30527 unknown 3y ago Jenkins WSO2 Oauth Plugin stores WSO2 Oauth client secret unencrypted in global config.xml file on Jenkins controller
CVE-2023-30523 unknown 3y ago Jenkins Report Portal Plugin allows users with Item/Extended Read permission to view tokens on Jenkins controller
CVE-2023-30524 unknown 3y ago Jenkins Report Portal Plugin configuration form does not mask tokens
CVE-2023-30521 unknown 3y ago Jenkins Assembla merge request builder Plugin missing authentication to access endpoint
CVE-2023-30520 unknown 3y ago Jenkins Quay.io trigger Plugin Cross-site Scripting vulnerability
CVE-2023-30532 unknown 3y ago Lack of authentication mechanism in Jenkins TurboScript Plugin webhook
CVE-2023-30531 unknown 3y ago Jenkins Consul KV Builder Plugin stores HashiCorp Consul ACL Token unencrypted
CVE-2023-29215 unknown 3y ago Apache Linkis JDBC EngineConn has deserialization vulnerability
CVE-2023-29216 unknown 3y ago Apache Linkis DatasourceManager module has deserialization vulnerability
CVE-2023-26120 unknown 3y ago XXL-JOB vulnerable to Cross-site Scripting
CVE-2023-29014 unknown 3y ago Goobi viewer Core Reflected Cross-Site Scripting Vulnerability Using LOGID Parameter
CVE-2023-29015 unknown 3y ago Goobi viewer Core has Cross-Site Scripting Vulnerability in User Comments
CVE-2023-29016 unknown 3y ago Goobi viewer Core has Cross-Site Scripting Vulnerability in User Nicknames
CVE-2023-25330 unknown 3y ago MyBatis-Plus vulnerable to SQL injection via TenantPlugin
CVE-2023-28840 unknown 3y ago Moby is an open source container framework developed by Docker Inc. that is distributed as Docker, Mirantis Container Runtime, and various other downstream projects/products. The Moby daemon componen…
CVE-2023-28841 unknown 3y ago Moby is an open source container framework developed by Docker Inc. that is distributed as Docker, Mirantis Container Runtime, and various other downstream projects/products. The Moby daemon componen…
CVE-2023-28842 unknown 3y ago Moby) is an open source container framework developed by Docker Inc. that is distributed as Docker, Mirantis Container Runtime, and various other downstream projects/products. The Moby daemon compone…
CVE-2023-26269 unknown 3y ago Apache James server's JMX management service vulnerable to privilege escalation by local user
CVE-2023-28674 unknown 3y ago Jenkins OctoPerf Load Testing Plugin vulnerable to Cross-site Request Forgery
CVE-2023-28669 unknown 3y ago Jenkins JaCoCo Plugin vulnerable to Stored Cross-site Scripting
CVE-2023-28676 unknown 3y ago Jenkins Convert To Pipeline Plugin vulnerable to cross-site request forgery
CVE-2023-28672 unknown 3y ago Jenkins OctoPerf Load Testing Plugin vulnerable to credential capture
CVE-2023-28678 unknown 3y ago Jenkins Cppcheck Plugin vulnerable to stored cross-site scripting (XSS)
CVE-2023-28673 unknown 3y ago Jenkins OctoPerf Load Testing Plugin missing permission check allows for ID enumeration
CVE-2023-28675 unknown 3y ago Jenkins OctoPerf Load Testing Plugin missing permission check allows for unauthorized server connections
CVE-2023-28681 unknown 3y ago Jenkins Visual Studio Code Metrics Plugin vulnerable to XML external entity (XXE) attacks
CVE-2023-28680 unknown 3y ago Jenkins Crap4J Plugin vulnerable to XML external entity (XXE) attacks
CVE-2023-28670 unknown 3y ago Jenkins Pipeline Aggregator View Plugin vulnerable to Cross-site Scripting
CVE-2023-28679 unknown 3y ago Jenkins Mashup Portlets Plugin vulnerable to stored cross-site scripting
CVE-2023-28671 unknown 3y ago Jenkins OctoPerf Load Testing Plugin vulnerable to Cross-site Request Forgery
CVE-2023-28668 unknown 3y ago Jenkins Role-based Authorization Strategy Plugin grants permissions even after they’ve been disabled
CVE-2023-28677 unknown 3y ago Jenkins Convert To Pipeline Plugin vulnerable to command injection
CVE-2023-28683 unknown 3y ago Jenkins Phabricator Differential Plugin vulnerable to XML external entity (XXE) attacks
CVE-2023-28684 unknown 3y ago Jenkins remote-jobs-view-plugin vulnerable to XML external entity attacks
CVE-2023-28682 unknown 3y ago Jenkins Performance Publisher Plugin vulnerable to XML external entity (XXE) attacks
CVE-2023-27025 unknown 3y ago RuoYi vulnerable to arbitrary file download
CVE-2023-27162 unknown 3y ago OpenAPI Generator vulnerable to Server-Side Request Forgery
CVE-2023-1784 unknown 3y ago jeecg-boot vulnerable to improper authentication
CVE-2023-28462 unknown 3y ago Payara Server allows remote attackers to load malicious code on the server once a JNDI directory scan is performed
CVE-2023-28935 unknown 3y ago Apache UIMA DUCC allows remote code execution
CVE-2023-28447 unknown 3y ago CiviCRM vulnerability
CVE-2023-28158 unknown 3y ago Apache Archiva vulnerable to privilege escalation via stored cross-site scripting (XSS)
CVE-2023-25721 unknown 3y ago Veracode Scan Jenkins Plugin vulnerable to information disclosure
CVE-2023-25722 unknown 3y ago Veracode Scan Jenkins Plugin vulnerable to information disclosure
CVE-2023-28326 unknown 3y ago Apache OpenMeetings missing authentication and can allow user impersonation
CVE-2023-20860 unknown 3y ago Spring Framework is vulnerable to security bypass via mvcRequestMatcher pattern mismatch
CVE-2023-28628 unknown 3y ago lambdaisland/uri `authority-regex` returns the wrong authority
CVE-2023-28640 unknown 3y ago Apiman vulnerable to permissions bypass due to missing check on API key URL
CVE-2023-27096 unknown 3y ago Hippo4j allows attacker to obtain sensitive info via ConfigVerifyController function of Tenant Management module
CVE-2023-27296 unknown 3y ago Apache InLong vulnerable to JDBC Deserialization of Untrusted Data
CVE-2023-28867 unknown 3y ago GraphQL Java vulnerable to stack consumption
CVE-2023-20859 unknown 3y ago Spring Vault vulnerable to insertion of sensitive information into a log file
CVE-2023-20861 unknown 3y ago Spring Framework vulnerable to denial of service via specially crafted SpEL expression
CVE-2023-1370 unknown 3y ago json-smart Uncontrolled Recursion vulnerability
CVE-2023-27094 unknown 3y ago Hippo4j privilege escalation issue
CVE-2023-0870 unknown 3y ago OpenNMS Meridian and Horizon vulnerable to Cross-Site Request Forgery
CVE-2023-1436 unknown 3y ago Jettison vulnerable to infinite recursion
CVE-2023-27087 unknown 3y ago Xuxueli xxl-job allows attacker to obtain sensitive information via the pageList parameter
CVE-2023-28118 unknown 3y ago kaml has potential denial of service while parsing input with anchors and aliases
CVE-2023-26513 unknown 3y ago Apache Sling Resource Merger has Excessive Iteration vulnerability
CVE-2023-1454 unknown 3y ago jeecg-boot SQL Injection vulnerability
CVE-2023-27095 unknown 3y ago Exposure of Sensitive Information in OpenGoofy Hippo4j
CVE-2023-0100 unknown 3y ago Improper Input Validation In Eclipse BIRT
CVE-2023-24535 unknown 3y ago Parsing invalid messages can panic. Parsing a text-format message which contains a potential number consisting of a minus sign, one or more characters of whitespace, and no further input will cause a…
CVE-2023-24279 unknown 3y ago ONOS vulnerable to reflected cross-site scripting
CVE-2023-28465 unknown 3y ago HL7 FHIR Partial Path Zip Slip due to bypass of CVE-2023-24057
CVE-2023-27904 unknown 3y ago Information disclosure through error stack traces related to agents
CVE-2023-27900 unknown 3y ago Denial of service in Jenkins Core
CVE-2023-27898 unknown 3y ago Cross-site Scripting vulnerability in Jenkins
CVE-2023-27899 unknown 3y ago Incorrect Authorization in Jenkins Core
CVE-2023-27902 unknown 3y ago Incorrect Permission Preservation in Jenkins Core
CVE-2023-27903 unknown 3y ago Incorrect Authorization in Jenkins Core
CVE-2023-27905 unknown 3y ago Cross site scripting vulnerability in update-center2
CVE-2023-27901 unknown 3y ago Denial of service in Jenkins Core
CVE-2023-26464 unknown 3y ago Apache Log4j 1.x (EOL) allows Denial of Service (DoS)
CVE-2023-27480 unknown 3y ago XWiki Platform vulnerable to data leak via Improper Restriction of XML External Entity Reference
CVE-2023-27479 unknown 3y ago org.xwiki.platform:xwiki-platform-panels-ui vulnerable to Eval Injection