| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
|
1 |
CVE-2023-28434 |
269 |
|
Bypass |
2023-03-22 |
2023-03-22 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
Minio is a Multi-Cloud Object Storage framework. Prior to RELEASE.2023-03-20T20-16-18Z, an attacker can use crafted requests to bypass metadata bucket name checking and put an object into any bucket while processing `PostPolicyBucket`. To carry out this attack, the attacker requires credentials with `arn:aws:s3:::*` permission, as well as enabled Console API access. This issue has been patched in RELEASE.2023-03-20T20-16-18Z. As a workaround, enable browser API access and turn off `MINIO_BROWSER=off`. |
|
2 |
CVE-2023-28426 |
79 |
|
XSS Bypass |
2023-03-20 |
2023-03-21 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
savg-sanitizer is a PHP SVG/XML Sanitizer. A bypass has been found in versions prior to 0.16.0 that allows an attacker to upload an SVG with persistent cross-site scripting. HTML elements within CDATA needed to be sanitized correctly, as we were converting them to a textnode and therefore, the library wasn't seeing them as DOM elements. This issue is fixed in version 0.16.0. Any data within a CDATA node will now be sanitised using HTMLPurifier. The maintainers have also removed many of the HTML and MathML elements from the allowed element list, as without ForiegnObject, they're not legal within the SVG context. There are no known workarounds. |
|
3 |
CVE-2023-28337 |
434 |
|
Bypass |
2023-03-15 |
2023-03-21 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
When uploading a firmware image to a Netgear Nighthawk Wifi6 Router (RAX30), a hidden “forceFWUpdate” parameter may be provided to force the upgrade to complete and bypass certain validation checks. End users can use this to upload modified, unofficial, and potentially malicious firmware to the device. |
|
4 |
CVE-2023-28155 |
918 |
|
Bypass |
2023-03-16 |
2023-03-22 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
** UNSUPPORTED WHEN ASSIGNED ** The Request package through 2.88.1 for Node.js allows a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP). NOTE: This vulnerability only affects products that are no longer supported by the maintainer. |
|
5 |
CVE-2023-28111 |
918 |
|
Bypass |
2023-03-17 |
2023-03-20 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
Discourse is an open-source discussion platform. Prior to version 3.1.0.beta3 of the `beta` and `tests-passed` branches, attackers are able to bypass Discourse's server-side request forgery (SSRF) protection for private IPv4 addresses by using a IPv4-mapped IPv6 address. The issue is patched in the latest beta and tests-passed version of Discourse. version 3.1.0.beta3 of the `beta` and `tests-passed` branches. There are no known workarounds. |
|
6 |
CVE-2023-28109 |
639 |
|
Bypass |
2023-03-16 |
2023-03-16 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
Play With Docker is a browser-based Docker playground. Versions 0.0.2 and prior are vulnerable to domain hijacking. Because CORS configuration was not correct, an attacker could use `play-with-docker.com` as an example and set the origin header in an http request as `evil-play-with-docker.com`. The domain would echo in response header, which successfully bypassed the CORS policy and retrieved basic user information. This issue has been fixed in commit ed82247c9ab7990ad76ec2bf1498c2b2830b6f1a. There are no known workarounds. |
|
7 |
CVE-2023-28005 |
|
|
Bypass |
2023-03-22 |
2023-03-22 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
A vulnerability in Trend Micro Endpoint Encryption Full Disk Encryption version 6.0.0.3204 and below could allow an attacker with physical access to an affected device to bypass Microsoft Windows? Secure Boot process in an attempt to execute other attacks to obtain access to the contents of the device. An attacker must first obtain physical access to the target system in order to exploit this vulnerability. It is also important to note that the contents of the drive(s) encrypted with TMEE FDE would still be protected and would NOT be accessible by the attacker by exploitation of this vulnerability alone. |
|
8 |
CVE-2023-27894 |
200 |
|
Bypass +Info File Inclusion |
2023-03-14 |
2023-03-20 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
SAP BusinessObjects Business Intelligence Platform (Web Services) - versions 420, 430, allows an attacker to inject arbitrary values as CMS parameters to perform lookups on the internal network which is otherwise not accessible externally. On successful exploitation, attacker can scan internal network to determine internal infrastructure for further attacks like remote file inclusion, retrieve server files, bypass firewall and force the vulnerable server to execute malicious requests, resulting in sensitive information disclosure. This causes limited impact on confidentiality of data. |
|
9 |
CVE-2023-27595 |
755 |
|
Bypass |
2023-03-17 |
2023-03-20 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
Cilium is a networking, observability, and security solution with an eBPF-based dataplane. In version 1.13.0, when Cilium is started, there is a short period when Cilium eBPF programs are not attached to the host. During this period, the host does not implement any of Cilium's featureset. This can cause disruption to newly established connections during this period due to the lack of Load Balancing, or can cause Network Policy bypass due to the lack of Network Policy enforcement during the window. This vulnerability impacts any Cilium-managed endpoints on the node (such as Kubernetes Pods), as well as the host network namespace (including Host Firewall). This vulnerability is fixed in Cilium 1.13.1 or later. Cilium releases 1.12.x, 1.11.x, and earlier are not affected. There are no known workarounds. |
|
10 |
CVE-2023-27594 |
285 |
|
Bypass |
2023-03-17 |
2023-03-20 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
Cilium is a networking, observability, and security solution with an eBPF-based dataplane. Prior to versions 1.11.15, 1.12.8, and 1.13.1, under specific conditions, Cilium may misattribute the source IP address of traffic to a cluster, identifying external traffic as coming from the host on which Cilium is running. As a consequence, network policies for that cluster might be bypassed, depending on the specific network policies enabled. This issue only manifests when Cilium is routing IPv6 traffic and NodePorts are used to route traffic to pods. IPv6 and endpoint routes are both disabled by default. The problem has been fixed and is available on versions 1.11.15, 1.12.8, and 1.13.1. As a workaround, disable IPv6 routing. |
|
11 |
CVE-2023-27582 |
287 |
|
Bypass |
2023-03-13 |
2023-03-17 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
maddy is a composable, all-in-one mail server. Starting with version 0.2.0 and prior to version 0.6.3, maddy allows a full authentication bypass if SASL authorization username is specified when using the PLAIN authentication mechanisms. Instead of validating the specified username, it is accepted as is after checking the credentials for the authentication username. maddy 0.6.3 includes the fix for the bug. There are no known workarounds. |
|
12 |
CVE-2023-27490 |
352 |
|
Bypass CSRF |
2023-03-09 |
2023-03-16 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
NextAuth.js is an open source authentication solution for Next.js applications. `next-auth` applications using OAuth provider versions before `v4.20.1` have been found to be subject to an authentication vulnerability. A bad actor who can read traffic on the victim's network or who is able to social engineer the victim to click a manipulated login link could intercept and tamper with the authorization URL to **log in as the victim**, bypassing the CSRF protection. This is due to a partial failure during a compromised OAuth session where a session code is erroneously generated. This issue has been addressed in version 4.20.1. Users are advised to upgrade. Users unable to upgrade may using Advanced Initialization, manually check the callback request for state, pkce, and nonce against the provider configuration to prevent this issue. See the linked GHSA for details. |
|
13 |
CVE-2023-27482 |
287 |
|
Bypass |
2023-03-08 |
2023-03-15 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
homeassistant is an open source home automation tool. A remotely exploitable vulnerability bypassing authentication for accessing the Supervisor API through Home Assistant has been discovered. This impacts all Home Assistant installation types that use the Supervisor 2023.01.1 or older. Installation types, like Home Assistant Container (for example Docker), or Home Assistant Core manually in a Python environment, are not affected. The issue has been mitigated and closed in Supervisor version 2023.03.1, which has been rolled out to all affected installations via the auto-update feature of the Supervisor. This rollout has been completed at the time of publication of this advisory. Home Assistant Core 2023.3.0 included mitigation for this vulnerability. Upgrading to at least that version is thus advised. In case one is not able to upgrade the Home Assistant Supervisor or the Home Assistant Core application at this time, it is advised to not expose your Home Assistant instance to the internet. |
|
14 |
CVE-2023-27100 |
|
|
Bypass |
2023-03-22 |
2023-03-22 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
Improper restriction of excessive authentication attempts in the SSHGuard component of Netgate pfSense Plus software v22.05.1 and pfSense CE software v2.6.0 allows attackers to bypass brute force protection mechanisms via crafted web requests. |
|
15 |
CVE-2023-26510 |
862 |
|
Bypass |
2023-03-05 |
2023-03-09 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
Ghost 5.35.0 allows authorization bypass: contributors can view draft posts of other users, which is arguably inconsistent with a security policy in which a contributor's draft can only be read by editors until published by an editor. NOTE: the vendor's position is that this behavior has no security impact. |
|
16 |
CVE-2023-26492 |
918 |
|
Bypass |
2023-03-03 |
2023-03-10 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
Directus is a real-time API and App dashboard for managing SQL database content. Directus is vulnerable to Server-Side Request Forgery (SSRF) when importing a file from a remote web server (POST to `/files/import`). An attacker can bypass the security controls by performing a DNS rebinding attack and view sensitive data from internal servers or perform a local port scan. An attacker can exploit this vulnerability to access highly sensitive internal server(s) and steal sensitive information. This issue was fixed in version 9.23.0. |
|
17 |
CVE-2023-26261 |
74 |
|
Bypass |
2023-03-08 |
2023-03-15 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
In UBIKA WAAP Gateway/Cloud through 6.10, a blind XPath injection leads to an authentication bypass by stealing the session of another connected user. The fixed versions are WAAP Gateway & Cloud 6.11.0 and 6.5.6-patch15. |
|
18 |
CVE-2023-26047 |
79 |
|
Exec Code XSS Bypass |
2023-03-03 |
2023-03-10 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
teler-waf is a Go HTTP middleware that provides teler IDS functionality to protect against web-based attacks. In teler-waf prior to version v0.2.0 is vulnerable to a bypass attack when a specific case-sensitive hex entities payload with special characters such as CR/LF and horizontal tab is used. This vulnerability allows an attacker to execute arbitrary JavaScript code on the victim's browser and compromise the security of the web application. An attacker can exploit this vulnerability to bypass common web attack threat rules in teler-waf and launch cross-site scripting (XSS) attacks. The attacker can execute arbitrary JavaScript code on the victim's browser and steal sensitive information, such as login credentials and session tokens, or take control of the victim's browser and perform malicious actions. This issue has been patched in version 0.2.0. |
|
19 |
CVE-2023-26046 |
79 |
|
Exec Code XSS Bypass |
2023-03-02 |
2023-03-10 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
teler-waf is a Go HTTP middleware that provides teler IDS functionality to protect against web-based attacks. In teler-waf prior to version 0.1.1 is vulnerable to bypassing common web attack rules when a specific HTML entities payload is used. This vulnerability allows an attacker to execute arbitrary JavaScript code on the victim's browser and compromise the security of the web application. The vulnerability exists due to teler-waf failure to properly sanitize and filter HTML entities in user input. An attacker can exploit this vulnerability to bypass common web attack threat rules in teler-waf and launch cross-site scripting (XSS) attacks. The attacker can execute arbitrary JavaScript code on the victim's browser and steal sensitive information, such as login credentials and session tokens, or take control of the victim's browser and perform malicious actions. This issue has been fixed in version 0.1.1. |
|
20 |
CVE-2023-26034 |
89 |
|
Exec Code Sql Bypass |
2023-02-25 |
2023-03-07 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
ZoneMinder is a free, open source Closed-circuit television software application for Linux which supports IP, USB and Analog cameras. Versions prior to 1.36.33 and 1.37.33 are affected by a SQL Injection vulnerability. The (blind) SQL Injection vulnerability is present within the `filter[Query][terms][0][attr]` query string parameter of the `/zm/index.php` endpoint. A user with the View or Edit permissions of Events may execute arbitrary SQL. The resulting impact can include unauthorized data access (and modification), authentication and/or authorization bypass, and remote code execution. |
|
21 |
CVE-2023-25957 |
287 |
|
Bypass |
2023-03-14 |
2023-03-21 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
A vulnerability has been identified in Mendix SAML (Mendix 7 compatible) (All Versions >= 1.16.4 < 1.17.2), Mendix SAML (Mendix 8 compatible) (All versions >= 2.2.0 < 2.2.3), Mendix SAML (Mendix 9 compatible, New Track) (All versions >= 3.1.9 < 3.2.5), Mendix SAML (Mendix 9 compatible, Upgrade Track) (All versions >= 3.1.9 < 3.2.5). The affected versions of the module insufficiently verifies the SAML assertions. This could allow unauthenticated remote attackers to bypass authentication and get access to the application. |
|
22 |
CVE-2023-25862 |
125 |
|
Bypass |
2023-03-22 |
2023-03-22 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
Illustrator version 26.5.2 (and earlier) and 27.2.0 (and earlier) are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to bypass mitigations such as ASLR. Exploitation of this issue requires user interaction in that a victim must open a malicious file. |
|
23 |
CVE-2023-25812 |
|
|
Bypass |
2023-02-21 |
2023-03-07 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
Minio is a Multi-Cloud Object Storage framework. Affected versions do not correctly honor a `Deny` policy on ByPassGoverance. Ideally, minio should return "Access Denied" to all users attempting to DELETE a versionId with the special header `X-Amz-Bypass-Governance-Retention: true`. However, this was not honored instead the request will be honored and an object under governance would be incorrectly deleted. All users are advised to upgrade. There are no known workarounds for this issue. |
|
24 |
CVE-2023-25765 |
693 |
|
Exec Code Bypass |
2023-02-15 |
2023-02-23 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
In Jenkins Email Extension Plugin 2.93 and earlier, templates defined inside a folder were not subject to Script Security protection, allowing attackers able to define email templates in folders to bypass the sandbox protection and execute arbitrary code in the context of the Jenkins controller JVM. |
|
25 |
CVE-2023-25725 |
|
|
Bypass |
2023-02-14 |
2023-02-25 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
HAProxy before 2.7.3 may allow a bypass of access control because HTTP/1 headers are inadvertently lost in some situations, aka "request smuggling." The HTTP header parsers in HAProxy may accept empty header field names, which could be used to truncate the list of HTTP headers and thus make some headers disappear after being parsed and processed for HTTP/1.0 and HTTP/1.1. For HTTP/2 and HTTP/3, the impact is limited because the headers disappear before being parsed and processed, as if they had not been sent by the client. The fixed versions are 2.7.3, 2.6.9, 2.5.12, 2.4.22, 2.2.29, and 2.0.31. |
|
26 |
CVE-2023-25690 |
444 |
|
Bypass |
2023-03-07 |
2023-03-14 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
Some mod_proxy configurations on Apache HTTP Server versions 2.4.0 through 2.4.55 allow a HTTP Request Smuggling attack. Configurations are affected when mod_proxy is enabled along with some form of RewriteRule or ProxyPassMatch in which a non-specific pattern matches some portion of the user-supplied request-target (URL) data and is then re-inserted into the proxied request-target using variable substitution. For example, something like: RewriteEngine on RewriteRule "^/here/(.*)" "http://example.com:8080/elsewhere?$1"; [P] ProxyPassReverse /here/ http://example.com:8080/ Request splitting/smuggling could result in bypass of access controls in the proxy server, proxying unintended URLs to existing origin servers, and cache poisoning. Users are recommended to update to at least version 2.4.56 of Apache HTTP Server. |
|
27 |
CVE-2023-25562 |
613 |
|
Bypass |
2023-02-11 |
2023-02-21 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
DataHub is an open-source metadata platform. In versions of DataHub prior to 0.8.45 Session cookies are only cleared on new sign-in events and not on logout events. Any authentication checks using the `AuthUtils.hasValidSessionCookie()` method could be bypassed by using a cookie from a logged out session, as a result any logged out session cookie may be accepted as valid and therefore lead to an authentication bypass to the system. Users are advised to upgrade. There are no known workarounds for this issue. This vulnerability was discovered and reported by the GitHub Security lab and is tracked as GHSL-2022-083. |
|
28 |
CVE-2023-25560 |
913 |
|
Bypass |
2023-02-11 |
2023-02-21 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
DataHub is an open-source metadata platform. The AuthServiceClient which is responsible for creation of new accounts, verifying credentials, resetting them or requesting access tokens, crafts multiple JSON strings using format strings with user-controlled data. This means that an attacker may be able to augment these JSON strings to be sent to the backend and that can potentially be abused by including new or colliding values. This issue may lead to an authentication bypass and the creation of system accounts, which effectively can lead to full system compromise. Users are advised to upgrade. There are no known workarounds for this vulnerability. This vulnerability was discovered and reported by the GitHub Security lab and is tracked as GHSL-2022-080. |
|
29 |
CVE-2023-25559 |
863 |
|
Bypass |
2023-02-11 |
2023-02-21 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
DataHub is an open-source metadata platform. When not using authentication for the metadata service, which is the default configuration, the Metadata service (GMS) will use the X-DataHub-Actor HTTP header to infer the user the frontend is sending the request on behalf of. When the backends retrieves the header, its name is retrieved in a case-insensitive way. This case differential can be abused by an attacker to smuggle an X-DataHub-Actor header with different casing (eg: X-DATAHUB-ACTOR). This issue may lead to an authorization bypass by allowing any user to impersonate the system user account and perform any actions on its behalf. This vulnerability was discovered and reported by the GitHub Security lab and is tracked as GHSL-2022-079. |
|
30 |
CVE-2023-25403 |
639 |
|
Bypass |
2023-03-03 |
2023-03-10 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
CleverStupidDog yf-exam v 1.8.0 is vulnerable to Authentication Bypass. The program uses a fixed JWT key, and the stored key uses username format characters. Any user who logged in within 24 hours. A token can be forged with his username to bypass authentication. |
|
31 |
CVE-2023-25264 |
287 |
|
Bypass |
2023-02-28 |
2023-03-07 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
An issue was discovered in Docmosis Tornado prior to version 2.9.5. An unauthenticated attacker can bypass the authentication check filter completely by introducing a specially crafted request with relative path segments. |
|
32 |
CVE-2023-25173 |
863 |
|
Exec Code Bypass |
2023-02-16 |
2023-02-24 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
containerd is an open source container runtime. A bug was found in containerd prior to versions 1.6.18 and 1.5.18 where supplementary groups are not set up properly inside a container. If an attacker has direct access to a container and manipulates their supplementary group access, they may be able to use supplementary group access to bypass primary group restrictions in some cases, potentially gaining access to sensitive information or gaining the ability to execute code in that container. Downstream applications that use the containerd client library may be affected as well. This bug has been fixed in containerd v1.6.18 and v.1.5.18. Users should update to these versions and recreate containers to resolve this issue. Users who rely on a downstream application that uses containerd's client library should check that application for a separate advisory and instructions. As a workaround, ensure that the `"USER $USERNAME"` Dockerfile instruction is not used. Instead, set the container entrypoint to a value similar to `ENTRYPOINT ["su", "-", "user"]` to allow `su` to properly set up supplementary groups. |
|
33 |
CVE-2023-25170 |
352 |
|
Bypass CSRF |
2023-03-13 |
2023-03-13 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
PrestaShop is an open source e-commerce web application that, prior to version 8.0.1, is vulnerable to cross-site request forgery (CSRF). When authenticating users, PrestaShop preserves session attributes. Because this does not clear CSRF tokens upon login, this might enable same-site attackers to bypass the CSRF protection mechanism by performing an attack similar to a session-fixation. The problem is fixed in version 8.0.1. |
|
34 |
CVE-2023-25162 |
918 |
|
Bypass |
2023-02-13 |
2023-02-23 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
Nextcloud Server is the file server software for Nextcloud, a self-hosted productivity platform. Nextcloud Server prior to 24.0.8 and 23.0.12 and Nextcloud Enterprise server prior to 24.0.8 and 23.0.12 are vulnerable to server-side request forgery (SSRF). Attackers can leverage enclosed alphanumeric payloads to bypass IP filters and gain SSRF, which would allow an attacker to read crucial metadata if the server is hosted on the AWS platform. Nextcloud Server 24.0.8 and 23.0.2 and Nextcloud Enterprise Server 24.0.8 and 23.0.12 contain a patch for this issue. No known workarounds are available. |
|
35 |
CVE-2023-25147 |
427 |
|
Bypass |
2023-03-10 |
2023-03-16 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
An issue in the Trend Micro Apex One agent could allow an attacker who has previously acquired administrative rights via other means to bypass the protection by using a specifically crafted DLL during a specific update process. Please note: an attacker must first obtain administrative access on the target system via another method in order to exploit this. |
|
36 |
CVE-2023-24890 |
|
|
Bypass |
2023-03-14 |
2023-03-21 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
Microsoft OneDrive for iOS Security Feature Bypass Vulnerability |
|
37 |
CVE-2023-24880 |
863 |
|
Bypass |
2023-03-14 |
2023-03-21 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
Windows SmartScreen Security Feature Bypass Vulnerability |
|
38 |
CVE-2023-24813 |
436 |
|
Exec Code Bypass |
2023-02-07 |
2023-02-16 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
Dompdf is an HTML to PDF converter written in php. Due to the difference in the attribute parser of Dompdf and php-svg-lib, an attacker can still call arbitrary URLs with arbitrary protocols. Dompdf parses the href attribute of `image` tags and respects `xlink:href` even if `href` is specified. However, php-svg-lib, which is later used to parse the svg file, parses the href attribute. Since `href` is respected if both `xlink:href` and `href` is specified, it's possible to bypass the protection on the Dompdf side by providing an empty `xlink:href` attribute. An attacker can exploit the vulnerability to call arbitrary URLs with arbitrary protocols if they provide an SVG file to the Dompdf. In PHP versions before 8.0.0, it leads to arbitrary unserialize, which will lead, at the very least, to arbitrary file deletion and might lead to remote code execution, depending on available classes. This vulnerability has been addressed in commit `95009ea98` which has been included in release version 2.0.3. Users are advised to upgrade. There are no known workarounds for this vulnerability. |
|
39 |
CVE-2023-24804 |
22 |
|
Dir. Trav. Bypass |
2023-02-13 |
2023-02-22 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
The ownCloud Android app allows ownCloud users to access, share, and edit files and folders. Prior to version 3.0, the app has an incomplete fix for a path traversal issue and is vulnerable to two bypass methods. The bypasses may lead to information disclosure when uploading the app’s internal files, and to arbitrary file write when uploading plain text files (although limited by the .txt extension). Version 3.0 fixes the reported bypasses. |
|
40 |
CVE-2023-24610 |
434 |
|
Exec Code Bypass |
2023-02-01 |
2023-02-08 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
NOSH 4a5cfdb allows remote authenticated users to execute PHP arbitrary code via the "practice logo" upload feature. The client-side checks can be bypassed. This may allow attackers to steal Protected Health Information because the product is for health charting. |
|
41 |
CVE-2023-24422 |
78 |
|
Exec Code Bypass |
2023-01-26 |
2023-02-04 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
A sandbox bypass vulnerability involving map constructors in Jenkins Script Security Plugin 1228.vd93135a_2fb_25 and earlier allows attackers with permission to define and run sandboxed scripts, including Pipelines, to bypass the sandbox protection and execute arbitrary code in the context of the Jenkins controller JVM. |
|
42 |
CVE-2023-24329 |
20 |
|
Bypass |
2023-02-17 |
2023-02-27 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
An issue in the urllib.parse component of Python before v3.11 allows attackers to bypass blocklisting methods by supplying a URL that starts with blank characters. |
|
43 |
CVE-2023-24104 |
|
|
Bypass |
2023-02-23 |
2023-03-06 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
Ubiquiti Networks UniFi Dream Machine Pro v7.2.95 allows attackers to bypass domain restrictions via crafted packets. |
|
44 |
CVE-2023-24021 |
|
|
Bypass |
2023-01-20 |
2023-03-06 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
Incorrect handling of '\0' bytes in file uploads in ModSecurity before 2.9.7 may allow for Web Application Firewall bypasses and buffer over-reads on the Web Application Firewall when executing rules that read the FILES_TMP_CONTENT collection. |
|
45 |
CVE-2023-24020 |
307 |
|
Bypass |
2023-01-30 |
2023-02-07 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
Snap One Wattbox WB-300-IP-3 versions WB10.9a17 and prior could bypass the brute force protection, allowing multiple attempts to force a login. |
|
46 |
CVE-2023-23940 |
347 |
|
Bypass |
2023-02-03 |
2023-02-13 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
OpenZeppelin Contracts for Cairo is a library for secure smart contract development written in Cairo for StarkNet, a decentralized ZK Rollup. `is_valid_eth_signature` is missing a call to `finalize_keccak` after calling `verify_eth_signature`. As a result, any contract using `is_valid_eth_signature` from the account library (such as the `EthAccount` preset) is vulnerable to a malicious sequencer. Specifically, the malicious sequencer would be able to bypass signature validation to impersonate an instance of these accounts. The issue has been patched in 0.6.1. |
|
47 |
CVE-2023-23937 |
434 |
|
Bypass |
2023-02-03 |
2023-02-13 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
Pimcore is an Open Source Data & Experience Management Platform: PIM, MDM, CDP, DAM, DXP/CMS & Digital Commerce. The upload functionality for updating user profile does not properly validate the file content-type, allowing any authenticated user to bypass this security check by adding a valid signature (p.e. GIF89) and sending any invalid content-type. This could allow an authenticated attacker to upload HTML files with JS content that will be executed in the context of the domain. This issue has been patched in version 10.5.16. |
|
48 |
CVE-2023-23928 |
347 |
|
Bypass |
2023-02-01 |
2023-02-08 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
reason-jose is a JOSE implementation in ReasonML and OCaml.`Jose.Jws.validate` does not check HS256 signatures. This allows tampering of JWS header and payload data if the service does not perform additional checks. Such tampering could expose applications using reason-jose to authorization bypass. Applications relying on JWS claims assertion to enforce security boundaries may be vulnerable to privilege escalation. This issue has been patched in version 0.8.2. |
|
49 |
CVE-2023-23926 |
611 |
|
Bypass |
2023-02-16 |
2023-02-24 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
APOC (Awesome Procedures on Cypher) is an add-on library for Neo4j. An XML External Entity (XXE) vulnerability found in the apoc.import.graphml procedure of APOC core plugin prior to version 5.5.0 in Neo4j graph database. XML External Entity (XXE) injection occurs when the XML parser allows external entities to be resolved. The XML parser used by the apoc.import.graphml procedure was not configured in a secure way and therefore allowed this. External entities can be used to read local files, send HTTP requests, and perform denial-of-service attacks on the application. Abusing the XXE vulnerability enabled assessors to read local files remotely. Although with the level of privileges assessors had this was limited to one-line files. With the ability to write to the database, any file could have been read. Additionally, assessors noted, with local testing, the server could be crashed by passing in improperly formatted XML. The minimum version containing a patch for this vulnerability is 5.5.0. Those who cannot upgrade the library can control the allowlist of the procedures that can be used in your system. |
|
50 |
CVE-2023-23924 |
863 |
|
Exec Code Bypass |
2023-02-01 |
2023-02-08 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
Dompdf is an HTML to PDF converter. The URI validation on dompdf 2.0.1 can be bypassed on SVG parsing by passing `<image>` tags with uppercase letters. This may lead to arbitrary object unserialize on PHP < 8, through the `phar` URL wrapper. An attacker can exploit the vulnerability to call arbitrary URL with arbitrary protocols, if they can provide a SVG file to dompdf. In PHP versions before 8.0.0, it leads to arbitrary unserialize, that will lead to the very least to an arbitrary file deletion and even remote code execution, depending on classes that are available. |
