PT-2023-32538 · Red Hat · Keycloak

Name of the Vulnerable Software and Affected Versions: Keycloak affected versions not specified Description: A flaw was found in Keycloak that prevents certain schemes in redirects, but permits them if a wildcard is appended to the token. This issue could allow an attacker to submit a specially...

CVE-2023-47624 Audiobookshelf Arbitrary File Read Vulnerability

Audiobookshelf is a self-hosted audiobook and podcast server. In versions 2.4.3 and prior, any user regardless of their permissions may be able to read files from the local file system due to a path traversal in the /hls endpoint. This issue may lead to Information Disclosure. As of time of...

PYSEC-2023-286

Nautobot is a Network Source of Truth and Network Automation Platform built as a web application atop the Django Python framework with a PostgreSQL or MySQL database. In Nautobot 1.x and 2.0.x prior to 1.6.7 and 2.0.6, the URLs /files/get/?name=... and /files/download/?name=... are used to provid...

CVE-2023-41337

Summary: CVE-2023-41337 affects the H2O HTTP server prior to 2.3.0-beta2 when configured to listen on multiple addresses/ports with backend servers from multiple entities. A malicious backend that can observe/inject client–server packets may misdirect TLS session resumption, causing HTTPS request...

CVE-2023-41337

h2o is an HTTP server with support for HTTP/1.x, HTTP/2 and HTTP/3. In version 2.3.0-beta2 and prior, when h2o is configured to listen to multiple addresses or ports with each of them using different backend servers managed by multiple entities, a malicious backend entity that also has the...

CVE-2023-48227 Umbraco CMS Backoffice User can bypass "Publish" restriction

Umbraco is an ASP.NET content management system CMS. Starting in version 8.0.0 and prior to versions 8.18.10, 10.7.0, and 12.3.0, Backoffice users with send for approval permission but not publish permission are able to publish in some scenarios. Versions 8.18.10, 10.7.0, and 12.3.0 contains a...

PT-2023-8591 · Adobe · Substance3D - Stager

Name of the Vulnerable Software and Affected Versions: Adobe Substance 3D Stager versions 2.1.1 and earlier Description: The issue is related to an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to bypass mitigatio...

PT-2023-8135 · Adobe · Experience Manager

Name of the Vulnerable Software and Affected Versions: Adobe Experience Manager versions 6.5.18 and earlier Description: The issue is related to a Cross-site Scripting DOM-based XSS vulnerability. It can be exploited if a low-privileged attacker convinces a victim to visit a URL referencing a...

PT-2023-8551 · Adobe · Substance3D - Designer

Name of the Vulnerable Software and Affected Versions: Adobe Substance 3D Designer versions 13.0.0 and earlier Adobe Substance 3D Designer versions 13.1.0 and earlier Description: The issue is related to an out-of-bounds read vulnerability in the Adobe Substance 3D Designer program, which could...

PT-2023-25652 · Grafana +1 · Loki +2

Name of the Vulnerable Software and Affected Versions: ProLion CryptoSpike version 3.0.15P2 Description: The issue allows remote attackers to impersonate other users in web management and the REST API by reading JWT tokens from logs as a Grafana authenticated user or from the Loki REST API withou...

PT-2023-32715 · Typecho · Typecho

Name of the Vulnerable Software and Affected Versions: Typecho version 1.2.1 Description: A vulnerability has been found in the Logo Handler component of Typecho, affecting an unknown function of the file /admin/options-theme.php. This issue leads to cross site scripting and can be exploited...

PT-2023-30983 · Unknown · Appointment Scheduler

Name of the Vulnerable Software and Affected Versions: Appointment Scheduler version 3.0 Description: A lack of rate limiting in pjActionAjaxSend allows attackers to cause resource exhaustion. There is no information provided about the estimated number of potentially affected devices worldwide or...

PT-2023-31451 · Tenda · Tenda W30E

Name of the Vulnerable Software and Affected Versions: Tenda W30E version 16.01.0.124843 Description: A stack overflow issue was discovered via the function formResetMeshNode. Recommendations: For Tenda W30E version 16.01.0.124843, as a temporary workaround, consider disabling the formResetMeshNo...

PT-2023-7498 · Microsoft · Edge

Name of the Vulnerable Software and Affected Versions: Microsoft Edge affected versions not specified Description: The issue is related to insufficient input validation in Microsoft Edge, allowing a remote attacker to gain unauthorized access to protected information. Recommendations: At the...

PT-2023-32283 · WordPress · System Dashboard

Name of the Vulnerable Software and Affected Versions: System Dashboard plugin for WordPress versions up to, and including, 2.8.7 Description: The issue allows unauthorized access to data due to a missing capability check on the sd constants function hooked via an AJAX action. This makes it...

PT-2023-11905 · Rl Institut · Nesp2

Name of the Vulnerable Software and Affected Versions: rl-institut NESP2 version 1.0 Description: A critical issue has been found, allowing for sql injection through an unknown function in the file app/database.py. This can be exploited remotely. The issue has been publicly disclosed and a patch ...

WordPress Nested Pages Plugin <= 3.2.6 is vulnerable to Cross Site Scripting (XSS)

Software Nested Pages Type Plugin Vulnerable versions = 3.2.6 Fixed in 3.2.7 OWASP Top 10 A3: Injection Classification Cross Site Scripting XSS CVE CVE-2023-49195 Patch priority Low CVSS severity Low 5.9 Developer Claim ownership PSID 12ebb2b0a5fd Credits emad Required privilege Administrator...

PT-2023-7349 · Foxit · Foxit Reader

Name of the Vulnerable Software and Affected Versions: Foxit Reader version 12.1.3.15356 Description: A code execution issue exists in the Javascript saveAs API of Foxit Reader. This is due to the improper handling of specially crafted malformed files, which can lead to the creation of arbitrary...

CVE-2023-48239 Nextcloud Server users can make external storage mount points inaccessible for other users

Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. Starting in version 25.0.0 and prior to versions 25.0.13, 26.0.8, and 27.1.3 of Nextcloud Server and starting in version 20.0.0 and prior to versions 20.0.14.16, 21.0.9.13, 22.2.10.15, 23.0.12.12, 24.0.12.8,...

PT-2023-8868 · Foxit · Foxit Pdf Editor +1

Name of the Vulnerable Software and Affected Versions: Foxit PDF Reader affected versions not specified Foxit PDF Editor affected versions not specified Description: The issue is related to the use of memory after it has been freed when handling Doc objects, which can allow an attacker to execute...