Security
Headlines
HeadlinesLatestCVEs

Source

CVE

CVE-2023-3333

Improper Neutralization of Special Elements used in an OS Command vulnerability in NEC Corporation Aterm WG2200HP all versions allows a attacker to execute an arbitrary OS command with the root privilege, after obtaining a high privilege exploiting CVE-2023-3330 and CVE-2023-3331 vulnerabilities.

CVE
Open in Source
#vulnerability
CVE-2023-25002: adsk-sa-2023-0002

A maliciously crafted SKP file in Autodesk products is used to trigger use-after-free vulnerability. Exploitation of this vulnerability may lead to code execution.

CVE-2023-36464: improved ExtractText(3) by pubpub-zz · Pull Request #969 · py-pdf/pypdf

pypdf is an open source, pure-python PDF library. In affected versions an attacker may craft a PDF which leads to an infinite loop if `__parse_content_stream` is executed. That is, for example, the case if the user extracted text from such a PDF. This issue was introduced in pull request #969 and resolved in pull request #1828. Users are advised to upgrade. Users unable to upgrade may modify the line `while peek not in (b"\r", b"\n")` in `pypdf/generic/_data_structures.py` to `while peek not in (b"\r", b"\n", b"")`.

CVE-2023-3436: xpdf-4.04/xpdf/XRef.cc: XRef::getObjectStreamObject - forum.xpdfreader.com

Xpdf 4.04 will deadlock on a PDF object stream whose "Length" field is itself in another object stream.

CVE-2020-18409: Bug: CatfishCMS V 4.8.63 CSRF · Issue #5 · xwlrbh/Catfish

Cross Site Request Forgery (CSRF) vulnerability was discovered in CatfishCMS 4.8.63 that would allow attackers to obtain administrator permissions via /index.php/admin/index/modifymanage.html.

CVE-2020-18404: Bug: ESPCMS P8 XSS · Issue #1 · source-hunter/espcms

An issue was discovered in espcms version P8.18101601. There is a cross site scripting (XSS) vulnerability that allows arbitrary code to be executed via the title parameter.

CVE-2020-18414: Bug: ChaojiCMS V2.18 XSS #3 · Issue #3 · GodEpic/chaojicms

Stored cross site scripting (XSS) vulnerability in Chaoji CMS v2.18 that allows attackers to execute arbitrary code via /index.php?admin-master-webset.

CVE-2023-36463: XSS on user input

Meldekarten generator is an open source project to create a program, running locally in the browser without the need for an internet-connection, to create, store and print registration cards for volunteers. All text fields on the webpage are vulnerable to XSS attacks. The user input isn't (fully) sanitized after submission. This issue has been addressed in commit `77e04f4af` which is included in the `1.0.0b1.1.2` release. Users are advised to upgrade. There are no known workarounds for this vulnerability.

CVE-2023-30993: IBM Cloud Pak for Security information disclosure CVE-2023-30993 Vulnerability Report

IBM Cloud Pak for Security (CP4S) 1.9.0.0 through 1.9.2.0 could allow an attacker with a valid API key for one tenant to access data from another tenant's account. IBM X-Force ID: 254136.

CVE-2020-19902: BUG:A Arbitrary File Reading Vulnerability in wex/cssjs.php · Issue #3 · vedees/wcms

Directory Traversal vulnerability found in Cryptoprof WCMS v.0.3.2 allows a remote attacker to execute arbitrary code via the wex/cssjs.php parameter.