CVE Vulnerabilities
CVE vulnerability database enriched with CISA KEV and NVD data
| CVE ID | CVSS | Severity | KEV | Sightings |
|---|---|---|---|---|
| CVE-2020-21861 File upload vulnerability in DuxCMS 2.1 allows attackers to execute arbitrary php code via duxcms/AdminUpload/upload. | 8.8 | HIGH | — | 0 |
| CVE-2020-21862 Directory traversal vulnerability in DuxCMS 2.1 allows attackers to delete arbitrary files via /admin/AdminBackup/del. | 8.1 | HIGH | — | 0 |
| CVE-2020-22336 An issue was discovered in pdfcrack 0.17 thru 0.18, allows attackers to execute arbitrary code via a stack overflow in the MD5 function. | 9.8 | CRITICAL | — | 0 |
| CVE-2023-35937 Metersphere is an open source continuous testing platform. In versions prior to 2.10.2 LTS, some key APIs in Metersphere lack permission checks. This allows ordinary users to execute APIs that can onl... | 6.0 | MEDIUM | — | 0 |
| CVE-2023-36188 An issue in langchain v.0.0.64 allows a remote attacker to execute arbitrary code via the PALChain parameter in the Python exec method. | 9.8 | CRITICAL | — | 0 |
| CVE-2023-36189 SQL injection vulnerability in langchain before v0.0.247 allows a remote attacker to obtain sensitive information via the SQLDatabaseChain component. | 7.5 | HIGH | — | 0 |
| CVE-2023-36968 A SQL Injection vulnerability detected in Food Ordering System v1.0 allows attackers to run commands on the database by sending crafted SQL queries to the ID parameter. | 7.2 | HIGH | — | 0 |
| CVE-2023-36995 TravianZ through 8.3.4 allows XSS via the Alliance tag/name, the statistics page, the link preferences, the Admin Logs, or the COOKUSR cookie. | 6.1 | MEDIUM | — | 0 |
| CVE-2023-22299 An OS command injection vulnerability exists in the vtysh_ubus _get_fw_logs functionality of Milesight UR32L v32.3.0.5. A specially crafted network request can lead to command execution. An attacker c... | 8.8 | HIGH | — | 0 |
| CVE-2023-22306 An OS command injection vulnerability exists in the libzebra.so bridge_group functionality of Milesight UR32L v32.3.0.5. A specially crafted network packet can lead to command execution. An attacker c... | 7.2 | HIGH | — | 0 |
| CVE-2023-22319 A sql injection vulnerability exists in the requestHandlers.js LoginAuth functionality of Milesight VPN v2.0.2. A specially-crafted network request can lead to authentication bypass. An attacker can s... | 7.3 | HIGH | — | 0 |
| CVE-2023-22365 An OS command injection vulnerability exists in the ys_thirdparty check_system_user functionality of Milesight UR32L v32.3.0.5. A specially crafted set of network packets can lead to command execution... | 7.2 | HIGH | — | 0 |
| CVE-2023-22371 An os command injection vulnerability exists in the liburvpn.so create_private_key functionality of Milesight VPN v2.0.2. A specially-crafted network request can lead to command execution. An attacker... | 8.1 | HIGH | — | 0 |
| CVE-2023-22653 An OS command injection vulnerability exists in the vtysh_ubus tcpdump_start_cb functionality of Milesight UR32L v32.3.0.5. A specially crafted HTTP request can lead to command execution. An authentic... | 8.8 | HIGH | — | 0 |
| CVE-2023-22659 An os command injection vulnerability exists in the libzebra.so change_hostname functionality of Milesight UR32L v32.3.0.5. A specially-crafted network packets can lead to command execution. An attack... | 7.2 | HIGH | — | 0 |
| CVE-2023-22844 An authentication bypass vulnerability exists in the requestHandlers.js verifyToken functionality of Milesight VPN v2.0.2. A specially-crafted network request can lead to authentication bypass. An att... | 7.3 | HIGH | — | 0 |
| CVE-2023-37133 A stored cross-site scripting (XSS) vulnerability in the Column management module of eyoucms v1.6.3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload. | 5.4 | MEDIUM | — | 0 |
| CVE-2023-23546 A misconfiguration vulnerability exists in the urvpn_client functionality of Milesight UR32L v32.3.0.5. A specially-crafted man-in-the-middle attack can lead to increased privileges. An attacker can p... | 4.2 | MEDIUM | — | 0 |
| CVE-2023-23547 A directory traversal vulnerability exists in the luci2-io file-export mib functionality of Milesight UR32L v32.3.0.5. A specially crafted network request can lead to arbitrary file read. An attacker ... | 6.5 | MEDIUM | — | 0 |
| CVE-2023-23550 An OS command injection vulnerability exists in the ys_thirdparty user_delete functionality of Milesight UR32L v32.3.0.5. A specially crafted network packet can lead to command execution. An attacker ... | 7.2 | HIGH | — | 0 |
| CVE-2023-23571 An access violation vulnerability exists in the eventcore functionality of Milesight UR32L v32.3.0.5. A specially crafted network request can lead to denial of service. An attacker can send a network ... | 7.5 | HIGH | — | 0 |
| CVE-2023-23902 A buffer overflow vulnerability exists in the uhttpd login functionality of Milesight UR32L v32.3.0.5. A specially crafted network request can lead to remote code execution. An attacker can send a net... | 9.8 | CRITICAL | — | 0 |
| CVE-2023-23907 A directory traversal vulnerability exists in the server.js start functionality of Milesight VPN v2.0.2. A specially-crafted network request can lead to arbitrary file read. An attacker can send a net... | 7.5 | HIGH | — | 0 |
| CVE-2023-37134 A stored cross-site scripting (XSS) vulnerability in the Basic Information module of eyoucms v1.6.3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload. | 5.4 | MEDIUM | — | 0 |
| CVE-2023-24018 A stack-based buffer overflow vulnerability exists in the libzebra.so.0.0.0 security_decrypt_password functionality of Milesight UR32L v32.3.0.5. A specially crafted HTTP request can lead to a buffer ... | 8.8 | HIGH | — | 0 |
| CVE-2023-24019 A stack-based buffer overflow vulnerability exists in the urvpn_client http_connection_readcb functionality of Milesight UR32L v32.3.0.5. A specially crafted network packet can lead to a buffer overfl... | 8.1 | HIGH | — | 0 |
| CVE-2023-24595 An OS command injection vulnerability exists in the ys_thirdparty system_user_script functionality of Milesight UR32L v32.3.0.5. A specially crafted series of network requests can lead to command exec... | 7.2 | HIGH | — | 0 |
| CVE-2023-30322 Cross Site Scripting (XSS) vulnerability in username field in /src/chatbotapp/chatWindow.java in Payatu ChatEngine v.1.0, allows attackers to execute arbitrary code. | 5.4 | MEDIUM | — | 0 |
| CVE-2023-30323 SQL Injection vulnerability in username field in /src/chatbotapp/chatWindow.java in Payatu ChatEngine v.1.0, allows attackers to gain sensitive information. | 7.5 | HIGH | — | 0 |
| CVE-2023-30325 SQL Injection vulnerability in textMessage parameter in /src/chatbotapp/chatWindow.java in wliang6 ChatEngine v.1.0, allows attackers to gain sensitive information. | 7.5 | HIGH | — | 0 |
| CVE-2023-30326 Cross Site Scripting (XSS) vulnerability in username field in /WebContent/WEB-INF/lib/chatbox.jsp in wliang6 ChatEngine commit fded8e710ad59f816867ad47d7fc4862f6502f3e, allows attackers to execute arb... | 6.1 | MEDIUM | — | 0 |
| CVE-2023-35948 Novu provides an API for sending notifications through multiple channels. Versions prior to 0.16.0 contain an open redirect vulnerability in the "Sign In with GitHub" functionality of Novu's open-sour... | 5.4 | MEDIUM | — | 0 |
| CVE-2023-36969 CMS Made Simple v2.2.17 is vulnerable to Remote Command Execution via the File Upload Function. | 8.8 | HIGH | — | 0 |
| CVE-2023-36970 A Cross-site scripting (XSS) vulnerability in CMS Made Simple v2.2.17 allows remote attackers to inject arbitrary web script or HTML via the File Upload function. | 5.4 | MEDIUM | — | 0 |
| CVE-2023-37122 A stored cross-site scripting (XSS) vulnerability in Bagecms v3.1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Custom Settings module. | 5.4 | MEDIUM | — | 0 |
| CVE-2023-37124 A stored cross-site scripting (XSS) vulnerability in the Site Setup module of SEACMS v12.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload. | 5.4 | MEDIUM | — | 0 |
| CVE-2023-37125 A stored cross-site scripting (XSS) vulnerability in the Management Custom label module of SEACMS v12.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload. | 5.4 | MEDIUM | — | 0 |
| CVE-2023-37131 A Cross-Site Request Forgery (CSRF) in the component /public/admin/profile/update.html of YznCMS v1.1.0 allows attackers to arbitrarily change the Administrator password via a crafted POST request. | 6.5 | MEDIUM | — | 0 |
| CVE-2023-30319 Cross Site Scripting (XSS) vulnerability in username field in /src/chatbotapp/LoginServlet.java in wliang6 ChatEngine commit fded8e710ad59f816867ad47d7fc4862f6502f3e, allows attackers to execute arbit... | 9.6 | CRITICAL | — | 0 |
| CVE-2023-30320 Cross Site Scripting (XSS) vulnerability in textMessage field in /src/chatbotapp/chatWindow.java in wliang6 ChatEngine commit fded8e710ad59f816867ad47d7fc4862f6502f3e, allows attackers to execute arbi... | 9.0 | CRITICAL | — | 0 |
| CVE-2023-30321 Cross Site Scripting (XSS) vulnerability in textMessage field in /src/chatbotapp/LoginServlet.java in wliang6 ChatEngine commit fded8e710ad59f816867ad47d7fc4862f6502f3e, allows attackers to execute ar... | 9.0 | CRITICAL | — | 0 |
| CVE-2023-34193 File Upload vulnerability in Zimbra ZCS 8.8.15 allows an authenticated privileged user to execute arbitrary code and obtain sensitive information via the ClientUploader function. | 8.8 | HIGH | — | 0 |
| CVE-2023-36823 Sanitize is an allowlist-based HTML and CSS sanitizer. Using carefully crafted input, an attacker may be able to sneak arbitrary HTML and CSS through Sanitize starting with version 3.0.0 and prior to ... | 7.1 | HIGH | — | 0 |
| CVE-2023-3529 A vulnerability classified as problematic has been found in Rotem Dynamics Rotem CRM up to 20230729. This affects an unknown part of the file /LandingPages/api/otp/send?id=[ID][ampersand]method=sms of... | 5.3 | MEDIUM | — | 0 |
| CVE-2023-36830 SQLFluff is a SQL linter. Prior to version 2.1.2, in environments where untrusted users have access to the config files, there is a potential security vulnerability where those users could use the `li... | 6.3 | MEDIUM | — | 0 |
| CVE-2023-37260 league/oauth2-server is an implementation of an OAuth 2.0 authorization server written in PHP. Starting in version 8.3.2 and prior to version 8.5.3, servers that passed their keys to the CryptKey cons... | 8.2 | HIGH | — | 0 |
| CVE-2023-37454 An issue was discovered in the Linux kernel through 6.4.2. A crafted UDF filesystem image causes a use-after-free write operation in the udf_put_super and udf_close_lvid functions in fs/udf/super.c. N... | 5.5 | MEDIUM | — | 0 |
| CVE-2023-3528 A vulnerability was found in ThinuTech ThinuCMS 1.5. It has been rated as critical. Affected by this issue is some unknown functionality of the file /category.php. The manipulation of the argument cat... | 6.3 | MEDIUM | — | 0 |
| CVE-2023-30195 In the module "Detailed Order" (lgdetailedorder) in version up to 1.1.20 from Linea Grafica for PrestaShop, a guest can download personal informations without restriction formatted in json. | 7.5 | HIGH | — | 0 |
| CVE-2023-38195 Datalust Seq before 2023.2.9489 allows insertion of sensitive information into an externally accessible file or directory. This is exploitable only when external (SQL Server or PostgreSQL) metadata st... | 4.9 | MEDIUM | — | 0 |
This product uses data from the NVD API but is not endorsed or certified by the NVD.