CVE-2023-47307

Buffer Overflow vulnerability in /apply.cgi in Shenzhen Libituo Technology Co., Ltd LBT-T300-T310 v2.2.2.6 allows attackers to cause a denial of service via the ApCliAuthMode parameter...

Low: Red Hat Security Advisory: curl security and bug fix update

An update for curl is now available for Red Hat Enterprise Linux 8.8 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each...

Exploit for CVE-2023-38646

CVE-2023-38646 Metabase Pre-Auth RCE 11/26/2023 Metabase ope...

GHSA-FPVW-6M5V-HQFP Capsule Proxy Authentication bypass using an empty token

The privilege escalation is based on a missing check if the user is authenticated based on the TokenReview result. All the clusters running with the anonymous-auth Kubernetes API Server setting disable set to false are affected since it would be possible to bypass the token review mechanism,...

app.cash.backfila:client-misk (>=2023.12.01.210510-f61f157 <=2025.09.02.174848-7b27340), app.cash.backfila:client-misk-hibernate (>=2023.12.01.210510-f61f157 <=2025.01.16.180443-b0fbc31) +1602 more potentially affected by CVE-2023-33202 via org.bouncycastle:bcpkix-jdk18on (>=1.71 <=1.72)

org.bouncycastle:bcpkix-jdk18on MAVEN version =1.71, =2023.12.01.210510-f61f157, =2023.12.01.210510-f61f157, =2023.12.01.210510-f61f157, =2023.12.01.210510-f61f157, =4.8.3, =1.4.0, =8.1.0.563, =1.1, =1.0.0, =2.10.6.9, =2.10.6.9, =2.10.6.9, =2.10.6.9, =2.10.7.12 and more Source cves: CVE-2023-3320...

CVE-2023-21418

Sandro Poppi, member of the AXIS OS Bug Bounty Program, has found that the VAPIX API irissetup.cgi was vulnerable to path traversal attacks that allows for file deletion. This flaw can only be exploited after authenticating with an operator- or administrator-privileged service account. The impact...

Possible user mocking that bypasses basic authentication

Impact next-auth applications prior to version 4.24.5 that rely on the default Middleware authorization are affected. A bad actor could create an empty/mock user, by getting hold of a NextAuth.js-issued JWT from an interrupted OAuth sign-in flow state, PKCE or nonce. Manually overriding the...

GHSA-V64W-49XW-QQ89 Possible user mocking that bypasses basic authentication

Impact next-auth applications prior to version 4.24.5 that rely on the default Middleware authorization are affected. A bad actor could create an empty/mock user, by getting hold of a NextAuth.js-issued JWT from an interrupted OAuth sign-in flow state, PKCE or nonce. Manually overriding the...

CVE-2023-48309 next-auth vulnerable to possible user mocking that bypasses basic authentication

NextAuth.js provides authentication for Next.js. next-auth applications prior to version 4.24.5 that rely on the default Middleware authorization are affected by a vulnerability. A bad actor could create an empty/mock user, by getting hold of a NextAuth.js-issued JWT from an interrupted OAuth...

CISA Adds Three Security Flaws with Active Exploitation to KEV Catalog

The U.S. Cybersecurity and Infrastructure Security Agency CISA on Thursday added three security flaws to its Known Exploited Vulnerabilities KEV catalog based on evidence of active exploitation in the wild. The vulnerabilities are as follows - CVE-2023-36584 CVSS score: 5.4 - Microsoft Windows...

CVE-2023-32957

CVE-2023-32957 concerns the WordPress plugin Team Members Showcase by Dazzlersoft, affected in versions &lt;= 1.3.4. The vulnerability is an authenticated Stored Cross-Site Scripting (XSS) flaw, exploitable by an administrator or higher privileges via admin settings. Multiple sources corroborate ...

CVE-2023-47245

Auth. admin+ Stored Cross-Site Scripting XSS vulnerability in Marco Milesi ANAC XML Viewer plugin = 1.7 versions...

CVE-2023-47239

CVE-2023-47239 affects the WordPress plugin Scott Paterson Easy PayPal Shopping Cart (versions

CVE-2023-47240 WordPress CBX Map for Google Map & OpenStreetMap Plugin <= 1.1.11 is vulnerable to Cross Site Scripting (XSS)

Auth. contributor+ Stored Cross-Site Scripting XSS vulnerability in Codeboxr CBX Map for Google Map & OpenStreetMap plugin = 1.1.11 versions...

CVE-2023-47240 WordPress CBX Map for Google Map & OpenStreetMap Plugin <= 1.1.11 is vulnerable to Cross Site Scripting (XSS)

Auth. contributor+ Stored Cross-Site Scripting XSS vulnerability in Codeboxr CBX Map for Google Map & OpenStreetMap plugin = 1.1.11 versions...

CVE-2023-47240

CVE-2023-47240 describes a Stored Cross-Site Scripting (XSS) vulnerability in the WordPress plugin CBX Map for Google Map & OpenStreetMap, affecting versions ≤ 1.1.11. The issue is a stored XSS in the plugin, with vendor-supplied sources indicating a fix in version 1.1.12. Public references corro...

CVE-2023-47242

CVE-2023-47242 refers to a Stored Cross-Site Scripting (XSS) flaw in the Marco Milesi ANAC XML Bandi di Gara WordPress plugin, affecting all releases up to and including version 7.5. The vulnerability requires Contributor+ authentication to exploit and could enable script injection under certain ...

Malicious code in oasis-auth (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 6bbbb6d6d51b6b4eae513979526b1a1d3c7c7b9947f319737a35fe899336adfc Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

MAL-2023-8519 Malicious code in oasis-auth (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 6bbbb6d6d51b6b4eae513979526b1a1d3c7c7b9947f319737a35fe899336adfc Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Multiple Critical Vulnerabilities in Juniper Exploited in the Wild

Threat Level Vulnerability Report For a detailed threat advisory, download the pdf file here Summary Multiple vulnerabilities have been discovered in Juniper Networks Junos OS, with the potential for pre-auth Remote Code Execution when chained in Juniper devices. Juniper Networks has confirmed th...