PT-2023-26410 · Nxfilter · Nxfilter

Name of the Vulnerable Software and Affected Versions: NxFilter version 4.3.2.5 Description: A vulnerability has been found in NxFilter, affecting unknown code of the file user.jsp, leading to cross-site request forgery. The attack can be initiated remotely. The vendor was contacted early about...

PT-2023-26321 · Unknown · Y Project Ruoyi

Name of the Vulnerable Software and Affected Versions: y project RuoYi versions up to 4.7.7 Description: A vulnerability has been found in the function uploadFilesPath of the component File Upload. The manipulation of the argument originalFilenames leads to cross site scripting. The attack may be...

Medium: yajl

Issue Overview: yajl-ruby is a C binding to the YAJL JSON parsing and generation library. The 1.x branch and the 2.x branch of yajl contain an integer overflow which leads to subsequent heap memory corruption when dealing with large 2GB inputs. The reallocation logic at yajlbuf.cL64 may result in...

WordPress FloPress Plugin <= 1.4.2 is vulnerable to Cross Site Scripting (XSS)

Software FloPress Type Plugin Vulnerable versions = 1.4.2 Fixed in N/A OWASP Top 10 A3: Injection Classification Cross Site Scripting XSS CVE CVE-2023-33999 Patch priority Medium CVSS severity Medium 7.1 Developer Claim ownership PSID 98bc1cb18f05 Credits Rafie Muhammad Patchstack Required...

WordPress Spectra Plugin <= 2.6.6 is vulnerable to Server Side Request Forgery (SSRF)

Software Spectra Type Plugin Vulnerable versions = 2.6.6 Fixed in 2.6.7 OWASP Top 10 A5: Broken Access Control Classification Server Side Request Forgery SSRF CVE CVE-2023-36679 Patch priority Low CVSS severity Low 7.1 Developer Claim ownership PSID e637edbf897c Credits Rafie Muhammad Patchstack...

PT-2023-25709 · Discourse · Discourse

Name of the Vulnerable Software and Affected Versions: Discourse versions prior to the version containing commit 52b003d915 Description: Discourse is an open source discussion platform. A request to create or update a custom sidebar section can cause a denial of service. Recommendations: For...

PT-2023-26291 · Kofax · Kofax Power Pdf

Name of the Vulnerable Software and Affected Versions: Kofax Power PDF affected versions not specified Description: This issue allows remote attackers to execute arbitrary code on affected installations. User interaction is required, where the target must visit a malicious page or open a maliciou...

PT-2023-3681

Name of the Vulnerable Software and Affected Versions vm2 versions up to and including 3.9.19 Description The issue in vm2 allows attackers to escape the sandbox and run arbitrary code, potentially resulting in Remote Code Execution. This is possible due to the Node.js custom inspect function...

PT-2023-25419 · Kodbox · Kodbox

Name of the Vulnerable Software and Affected Versions: kodbox version 1.26 Description: A critical issue affects the function Execute of the file webconsole.php.txt in the WebConsole Plug-In component, leading to os command injection. The exploit has been disclosed publicly and may be used. The...

PT-2023-25224 · Gz Scripts · Gz Forum Script

Name of the Vulnerable Software and Affected Versions: GZ Scripts GZ Forum Script version 1.8 Description: A vulnerability was found in the file /preview.php, where the manipulation of the arguments catid, topicid, topic, topic message, or free name leads to cross site scripting. The attack may b...

PT-2023-24887 · Cometbft · Cometbft

Name of the Vulnerable Software and Affected Versions: CometBFT versions v0.34.28 and prior, v0.37.0, v0.37.1 Description: The mempool in CometBFT maintains two data structures, a list and a map, to track outstanding transactions. These data structures are supposed to be in sync, with the map...

Remote code execution

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 5.5.2 and 6.2.1, an attacker can use a prototype pollution sink to trigger a remote code execution through the MongoDB BSON parser. A patch is available in versions 5.5.2 and...

CVE-2023-36475 Parse Server vulnerable to remote code execution via MongoDB BSON parser through prototype pollution

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 5.5.2 and 6.2.1, an attacker can use a prototype pollution sink to trigger a remote code execution through the MongoDB BSON parser. A patch is available in versions 5.5.2 and...

CVE-2023-25725 affecting package haproxy 2.1.5-1

CVE-2023-25725 affecting package haproxy 2.1.5-1. A patched version of the package is available...

CVE-2023-28531 affecting package openssh 8.9p1-1

CVE-2023-28531 affecting package openssh 8.9p1-1. A patched version of the package is available...

CVE-2023-34256 affecting package kernel 5.10.183.1-1

CVE-2023-34256 affecting package kernel 5.10.183.1-1. A patched version of the package is available...

CVE-2023-32681 affecting package python-requests for versions less than 2.27.1-6

CVE-2023-32681 affecting package python-requests for versions less than 2.27.1-6. A patched version of the package is available...

Security Bulletin: FileNet Content Manager (FNCM) FileNet Content Search Services (CSS) ThoughtWorks XStream security vulnerabilities, affected, not vulnerable

Summary Security vulnerability in FileNet Content Manager FNCM FileNet Content Search Services CSS ThoughtWorks XStream, affected, not vulnerable. Vulnerability Details CVEID:CVE-2022-41966 DESCRIPTION: XStream is vulnerable to a denial of service, caused by a stack-based buffer overflow. By...

WordPress WP Abstracts Plugin <= 2.6.2 is vulnerable to Cross Site Request Forgery (CSRF)

Software WP Abstracts Type Plugin Vulnerable versions = 2.6.2 Fixed in 2.6.3 OWASP Top 10 A5: Broken Access Control Classification Cross Site Request Forgery CSRF CVE CVE-2023-36517 Patch priority Low CVSS severity Low 4.3 Developer Claim ownership PSID a8178ceb0ff9 Credits qilin99 Required...

Medium: yajl

Issue Overview: yajl-ruby is a C binding to the YAJL JSON parsing and generation library. The 1.x branch and the 2.x branch of yajl contain an integer overflow which leads to subsequent heap memory corruption when dealing with large 2GB inputs. The reallocation logic at yajlbuf.cL64 may result in...