CVE-2023-27372

Public exploit
SPIP before 4.2.1 allows Remote Code Execution via form values in the public area because serialization is mishandled. The fixed versions are 3.2.18, 4.0.10, 4.1.8, and 4.2.1.
Max CVSS
9.8
EPSS Score
97.35%
Published
2023-02-28
Updated
2023-06-21
GNU libmicrohttpd before 0.9.76 allows remote DoS (Denial of Service) due to improper parsing of a multipart/form-data boundary in the postprocessor.c MHD_create_post_processor() method. This allows an attacker to remotely send a malicious HTTP POST packet that includes one or more '\0' bytes in a multipart/form-data boundary field, which - assuming a specific heap layout - will result in an out-of-bounds read and a crash in the find_boundary() function.
Max CVSS
5.9
EPSS Score
0.10%
Published
2023-02-28
Updated
2023-03-31
Sudo before 1.9.13p2 has a double free in the per-command chroot feature.
Max CVSS
7.2
EPSS Score
0.18%
Published
2023-02-28
Updated
2023-11-02
Cross-site request forgery is facilitated by OpenCATS failure to require CSRF tokens in POST requests. An attacker can exploit this issue by creating a dummy page that executes Javascript in an authenticated user's session when visited.
Max CVSS
5.4
EPSS Score
0.08%
Published
2023-02-28
Updated
2023-03-04
Improper neutralization of input during web page generation allows an authenticated attacker with access to a restricted account to submit malicious Javascript as the description for a calendar event, which would then be executed in other users' browsers if they browse to that event. This could result in stealing session tokens from users with higher permission levels or forcing users to make actions without their knowledge.
Max CVSS
5.4
EPSS Score
0.06%
Published
2023-02-28
Updated
2023-03-10
Improper neutralization of input during web page generation allows an unauthenticated attacker to submit malicious Javascript as the answer to a questionnaire which would then be executed when an authenticated user reviews the candidate's submission. This could be used to steal other users’ cookies and force users to make actions without their knowledge.
Max CVSS
6.1
EPSS Score
0.14%
Published
2023-02-28
Updated
2023-03-09
An open redirect vulnerability exposes OpenCATS to template injection due to improper validation of user-supplied GET parameters.
Max CVSS
5.4
EPSS Score
0.09%
Published
2023-02-28
Updated
2023-03-04
Mattermost fails to honor the ShowEmailAddress setting when constructing a response to the /api/v4/users/me/teams API endpoint, allowing an attacker with team admin privileges to learn the team owner's email address in the response.
Max CVSS
2.7
EPSS Score
0.05%
Published
2023-02-27
Updated
2023-03-07
Mattermost fails to honor the ShowEmailAddress setting when constructing a response to the "Regenerate Invite Id" API endpoint, allowing an attacker with team admin privileges to learn the team owner's email address in the response.
Max CVSS
2.7
EPSS Score
0.05%
Published
2023-02-27
Updated
2023-03-09
A missing permissions check in Mattermost Playbooks in Mattermost allows an attacker to modify a playbook via the /plugins/playbooks/api/v0/playbooks/[playbookID] API.
Max CVSS
7.1
EPSS Score
0.05%
Published
2023-02-27
Updated
2023-03-07
A missing permissions check in the /plugins/playbooks/api/v0/runs API in Mattermost allows an attacker to list and view playbooks belonging to a team they are not a member of.
Max CVSS
6.5
EPSS Score
0.06%
Published
2023-02-27
Updated
2023-03-09
Sme.UP ERP TOKYO V6R1M220406 was discovered to contain an arbitrary file upload vulnerability.
Max CVSS
8.8
EPSS Score
0.09%
Published
2023-02-27
Updated
2023-03-04
Sme.UP ERP TOKYO V6R1M220406 was discovered to contain an information disclosure vulnerability via the /debug endpoint. This vulnerability allows attackers to access cleartext credentials needed to authenticate to the AS400 system.
Max CVSS
7.5
EPSS Score
0.17%
Published
2023-02-27
Updated
2023-03-04
Sme.UP ERP TOKYO V6R1M220406 was discovered to contain an OS command injection vulnerability via calls made to the XMService component.
Max CVSS
8.8
EPSS Score
0.17%
Published
2023-02-27
Updated
2023-03-04
Sme.UP TOKYO V6R1M220406 was discovered to contain an arbitrary file download vulnerabilty via the component /ResourceService.
Max CVSS
7.5
EPSS Score
0.15%
Published
2023-02-27
Updated
2023-03-04
ABUS TVIP 20000-21150 devices allows remote attackers to execute arbitrary code via shell metacharacters in the /cgi-bin/mft/wireless_mft ap field.
Max CVSS
7.2
EPSS Score
1.03%
Published
2023-02-27
Updated
2023-03-07
In the Linux kernel 6.0.8, there is an out-of-bounds read in ntfs_attr_find in fs/ntfs/attrib.c.
Max CVSS
7.1
EPSS Score
0.04%
Published
2023-02-26
Updated
2024-03-25
In the Linux kernel 6.0.8, there is a use-after-free in ntfs_trim_fs in fs/ntfs3/bitmap.c.
Max CVSS
7.8
EPSS Score
0.04%
Published
2023-02-26
Updated
2024-03-25
In the Linux kernel 6.0.8, there is a use-after-free in inode_cgwb_move_to_attached in fs/fs-writeback.c, related to __list_del_entry_valid.
Max CVSS
7.8
EPSS Score
0.04%
Published
2023-02-26
Updated
2024-03-25
ASUS ASMB8 iKVM firmware through 1.14.51 allows remote attackers to execute arbitrary code by using SNMP to create extensions, as demonstrated by snmpset for NET-SNMP-EXTEND-MIB with /bin/sh for command execution.
Max CVSS
9.8
EPSS Score
1.27%
Published
2023-02-26
Updated
2023-03-07
A SQL injection vulnerability in BMC Control-M before 9.0.20.214 allows attackers to execute arbitrary SQL commands via the memname JSON field.
Max CVSS
9.8
EPSS Score
0.14%
Published
2023-02-25
Updated
2023-03-07
In the Linux kernel before 6.1.13, there is a double free in net/mpls/af_mpls.c upon an allocation failure (for registering the sysctl table under a new location) during the renaming of a device.
Max CVSS
4.7
EPSS Score
0.04%
Published
2023-02-25
Updated
2023-05-03
In the Linux kernel 6.0.8, there is a use-after-free in run_unpack in fs/ntfs3/run.c, related to a difference between NTFS sector size and media sector size.
Max CVSS
7.8
EPSS Score
0.04%
Published
2023-02-25
Updated
2024-03-25
Cerebrate 1.12 does not properly consider organisation_id during creation of API keys.
Max CVSS
9.1
EPSS Score
0.14%
Published
2023-02-24
Updated
2023-03-03
ThingsBoard 3.4.1 could allow a remote attacker to gain elevated privileges because hard-coded service credentials (usable for privilege escalation) are stored in an insecure format. (To read this stored data, the attacker needs access to the application server or its source code.)
Max CVSS
8.1
EPSS Score
0.34%
Published
2023-02-23
Updated
2023-08-29
2128 vulnerabilities found
1 2 3 4 5 6 ...... 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86
This web site uses cookies for managing your session, storing preferences, website analytics and additional purposes described in our privacy policy.
By using this web site you are agreeing to CVEdetails.com terms of use!