HTTP::Tiny before 0.083, a Perl core module since 5.13.9 and available standalone on CPAN, has an insecure default TLS configuration where users must opt in to verify certificates.
Max CVSS
8.1
Published
2023-04-29
Updated
2023-06-21
EPSS
0.24%
GitLab::API::v4 through 0.26 does not verify TLS certificates when connecting to a GitLab server, enabling machine-in-the-middle attacks.
Max CVSS
5.9
Published
2023-04-29
Updated
2023-05-08
EPSS
0.12%
CPAN.pm before 2.35 does not verify TLS certificates when downloading distributions over HTTPS.
Max CVSS
8.1
Published
2023-04-29
Updated
2023-08-02
EPSS
0.21%
tar/TarFileReader.cpp in Cauldron cbang before bastet-v8.1.17 has a directory traversal during extraction that allows the attacker to create or write to files outside the current directory via a crafted tar archive.
Max CVSS
7.5
Published
2023-04-28
Updated
2023-05-08
EPSS
0.05%
SmartDNS through 41 before 56d0332 allows an out-of-bounds write because of a stack-based buffer overflow in the _dns_encode_domain function in the dns.c file, via a crafted DNS request.
Max CVSS
9.8
Published
2023-04-28
Updated
2023-05-08
EPSS
0.09%
In Talend Studio before 7.3.1-R2022-10 and 8.x before 8.0.1-R2022-09, microservices allow unauthenticated access to the Jolokia endpoint of the microservice. This allows for remote access to the JVM via the Jolokia JMX-HTTP bridge.
Max CVSS
7.5
Published
2023-04-28
Updated
2023-05-08
EPSS
0.09%
qfq_change_class in net/sched/sch_qfq.c in the Linux kernel before 6.2.13 allows an out-of-bounds write because lmax can exceed QFQ_MIN_LMAX.
Max CVSS
7.8
Published
2023-04-28
Updated
2023-11-29
EPSS
0.04%
Trust Wallet Core before 3.1.1, as used in the Trust Wallet browser extension before 0.0.183, allows theft of funds because the entropy is 32 bits, as exploited in the wild in December 2022 and March 2023. This occurs because the mt19937 Mersenne Twister takes a single 32-bit value as an input seed, resulting in only four billion possible mnemonics. The affected versions of the browser extension are 0.0.172 through 0.0.182. To steal funds efficiently, an attacker can identify all Ethereum addresses created since the 0.0.172 release, and check whether they are Ethereum addresses that could have been created by this extension. To respond to the risk, affected users need to upgrade the product version and also move funds to a new wallet address.
Max CVSS
5.9
Published
2023-04-27
Updated
2023-05-10
EPSS
0.05%
An issue was discovered in Serenity Serene (and StartSharp) before 6.7.0. Password reset links are sent by email. A link contains a token that is used to reset the password. This token remains valid even after the password reset and can be used a second time to change the password of the corresponding user. The token expires only 3 hours after issuance and is sent as a query parameter when resetting. An attacker with access to the browser history can thus use the token again to change the password in order to take over the account.
Max CVSS
7.8
Published
2023-04-27
Updated
2023-05-30
EPSS
0.04%
An issue was discovered in Serenity Serene (and StartSharp) before 6.7.0. When a password reset request occurs, the server response leaks the existence of users. If one tries to reset a password of a non-existent user, an error message indicates that this user does not exist.
Max CVSS
5.3
Published
2023-04-27
Updated
2023-05-30
EPSS
0.05%
An XSS issue was discovered in Serenity Serene (and StartSharp) before 6.7.0. When users upload temporary files, some specific file endings are not allowed, but it is possible to upload .html or .htm files containing an XSS payload. The resulting link can be sent to an administrator user.
Max CVSS
6.1
Published
2023-04-27
Updated
2023-05-30
EPSS
0.05%
The file download facility doesn't sufficiently sanitize file paths in certain situations. This may result in users gaining access to private files that they should not have access to. Some sites may require configuration changes following this security release. Review the release notes for your Drupal version if you have issues accessing private files after updating.
Max CVSS
6.5
Published
2023-04-26
Updated
2023-05-05
EPSS
0.05%
Dradis before 4.8.0 allows persistent XSS by authenticated author users, related to avatars.
Max CVSS
8.7
Published
2023-04-25
Updated
2023-05-11
EPSS
0.05%
An issue was discovered in drivers/mtd/ubi/cdev.c in the Linux kernel 6.2. There is a divide-by-zero error in do_div(sz,mtd->erasesize), used indirectly by ctrl_cdev_ioctl, when mtd->erasesize is 0.
Max CVSS
5.5
Published
2023-04-24
Updated
2023-09-29
EPSS
0.04%
An issue was discovered in drivers/media/dvb-core/dvb_frontend.c in the Linux kernel 6.2. There is a blocking operation when a task is in !TASK_RUNNING. In dvb_frontend_get_event, wait_event_interruptible is called; the condition is dvb_frontend_test_event(fepriv,events). In dvb_frontend_test_event, down(&fepriv->sem) is called. However, wait_event_interruptible would put the process to sleep, and down(&fepriv->sem) may block the process.
Max CVSS
5.5
Published
2023-04-24
Updated
2023-11-02
EPSS
0.04%
An issue was discovered in drivers/bluetooth/hci_ldisc.c in the Linux kernel 6.2. In hci_uart_tty_ioctl, there is a race condition between HCIUARTSETPROTO and HCIUARTGETPROTO. HCI_UART_PROTO_SET is set before hu->proto is set. A NULL pointer dereference may occur.
Max CVSS
4.7
Published
2023-04-24
Updated
2023-09-29
EPSS
0.04%
An issue was discovered in drivers/tty/n_gsm.c in the Linux kernel 6.2. There is a sleeping function called from an invalid context in gsmld_write, which will block the kernel.
Max CVSS
5.5
Published
2023-04-24
Updated
2023-09-29
EPSS
0.04%
An issue was discovered in drivers/media/test-drivers/vidtv/vidtv_bridge.c in the Linux kernel 6.2. There is a NULL pointer dereference in vidtv_mux_stop_thread. In vidtv_stop_streaming, after dvb->mux=NULL occurs, it executes vidtv_mux_stop_thread(dvb->mux).
Max CVSS
5.5
Published
2023-04-24
Updated
2023-09-29
EPSS
0.04%
Repetier Server through 1.4.10 does not have CSRF protection.
Max CVSS
8.8
Published
2023-04-24
Updated
2023-05-02
EPSS
0.06%
Repetier Server through 1.4.10 executes as SYSTEM. This can be leveraged in conjunction with CVE-2023-31059 for full compromise.
Max CVSS
9.8
Published
2023-04-24
Updated
2023-05-02
EPSS
0.11%
Repetier Server through 1.4.10 allows ..%5c directory traversal for reading files that contain credentials, as demonstrated by connectionLost.php.
Max CVSS
7.5
Published
2023-04-24
Updated
2023-05-02
EPSS
0.53%
CloverDX before 5.17.3 writes passwords to the audit log in certain situations, if the audit log is enabled and single sign-on is not employed. The fixed versions are 5.15.4, 5.16.2, 5.17.3, and 6.0.x.
Max CVSS
9.1
Published
2023-04-24
Updated
2023-04-29
EPSS
0.05%
** DISPUTED ** A stored Cross-site scripting (XSS) issue in Text Editors and Formats in Backdrop CMS before 1.24.2 allows remote attackers to inject arbitrary web script or HTML via the name parameter. When a user is editing any content type (e.g., page, post, or card) as an admin, the stored XSS payload is executed upon selecting a malicious text formatting option. NOTE: the vendor disputes the security relevance of this finding because "any administrator that can configure a text format could easily allow Full HTML anywhere."
Max CVSS
4.8
Published
2023-04-24
Updated
2023-05-02
EPSS
0.05%
EnterpriseDB EDB Postgres Advanced Server (EPAS) before 14.6.0 logs unredacted passwords in situations where optional parameters are used with CREATE/ALTER USER/GROUP/ROLE, and redacting was configured with edb_filter_log.redact_password_commands. The fixed versions are 10.23.33, 11.18.29, 12.13.17, 13.9.13, and 14.6.0.
Max CVSS
7.5
Published
2023-04-23
Updated
2023-05-02
EPSS
0.06%
The Denosaurs emoji package provides emojis for dinosaurs. Starting in version 0.1.0 and prior to version 0.3.0, the reTrimSpace regex has 2nd degree polynomial inefficiency, leading to a delayed response given a big payload. The issue has been patched in 0.3.0. As a workaround, avoid using the `replace`, `unemojify`, or `strip` functions.
Max CVSS
7.5
Published
2023-04-28
Updated
2023-05-08
EPSS
0.05%
2335 vulnerabilities found
1 2 3 4 5 6 ...... 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94
This web site uses cookies for managing your session, storing preferences, website analytics and additional purposes described in our privacy policy.
By using this web site you are agreeing to CVEdetails.com terms of use!