CVEs Today
Latest Information on Common Vulnerabilities and Exposures (CVEs)
Last updated: May 31, 2023. 01:20:03
click on an item for more info;
| ID | Description | Modified | References |
|---|---|---|---|
| CVE-2023-25491 | Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Samuel Marshall JCH Optimize plugin <= 3.2.2 versions. | May 8, 2023. 02:37:00 | [patchstack.com] |
| CVE-2023-24400 | Auth. (contributor+) Cross-Site Scripting (XSS) vulnerability in Hu-manity.Co Cookie Notice & Compliance for GDPR / CCPA plugin <= 2.4.6 versions. | May 8, 2023. 02:37:00 | [patchstack.com] |
| CVE-2023-30257 | A buffer overflow in the component /proc/ftxxxx-debug of FiiO M6 Build Number v1.0.4 allows attackers to escalate privileges to root. | May 8, 2023. 02:37:00 | [stigward.github.io][github.com] |
| CVE-2023-2459 | Inappropriate implementation in Prompts in Google Chrome prior to 113.0.5672.63 allowed a remote attacker to bypass permission restrictions via a crafted HTML page. (Chromium security severity: Medium) | May 7, 2023. 03:15:00 | [chromereleases.googleblog.com][crbug.com] |
| CVE-2023-2460 | Insufficient validation of untrusted input in Extensions in Google Chrome prior to 113.0.5672.63 allowed an attacker who convinced a user to install a malicious extension to bypass file access checks via a crafted HTML page. (Chromium security severity: Medium) | May 7, 2023. 03:15:00 | [chromereleases.googleblog.com][crbug.com] |
| CVE-2023-2462 | Inappropriate implementation in Prompts in Google Chrome prior to 113.0.5672.63 allowed a remote attacker to obfuscate main origin data via a crafted HTML page. (Chromium security severity: Medium) | May 7, 2023. 03:15:00 | [chromereleases.googleblog.com][crbug.com] |
| CVE-2023-2463 | Inappropriate implementation in Full Screen Mode in Google Chrome on Android prior to 113.0.5672.63 allowed a remote attacker to hide the contents of the Omnibox (URL bar) via a crafted HTML page. (Chromium security severity: Medium) | May 7, 2023. 03:15:00 | [chromereleases.googleblog.com][crbug.com] |
| CVE-2023-2464 | Inappropriate implementation in PictureInPicture in Google Chrome prior to 113.0.5672.63 allowed an attacker who convinced a user to install a malicious extension to perform an origin spoof in the security UI via a crafted HTML page. (Chromium security severity: Medium) | May 7, 2023. 03:15:00 | [chromereleases.googleblog.com][crbug.com] |
| CVE-2023-2465 | Inappropriate implementation in CORS in Google Chrome prior to 113.0.5672.63 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium) | May 7, 2023. 03:15:00 | [chromereleases.googleblog.com][crbug.com] |
| CVE-2023-2466 | Inappropriate implementation in Prompts in Google Chrome prior to 113.0.5672.63 allowed a remote attacker to spoof the contents of the security UI via a crafted HTML page. (Chromium security severity: Low) | May 7, 2023. 03:15:00 | [crbug.com][chromereleases.googleblog.com] |
| CVE-2023-2467 | Inappropriate implementation in Prompts in Google Chrome on Android prior to 113.0.5672.63 allowed a remote attacker to bypass permissions restrictions via a crafted HTML page. (Chromium security severity: Low) | May 7, 2023. 03:15:00 | [chromereleases.googleblog.com][crbug.com] |
| CVE-2023-2468 | Inappropriate implementation in PictureInPicture in Google Chrome prior to 113.0.5672.63 allowed a remote attacker who had compromised the renderer process to obfuscate the security UI via a crafted HTML page. (Chromium security severity: Low) | May 7, 2023. 03:15:00 | [chromereleases.googleblog.com][crbug.com] |
| CVE-2023-2461 | Use after free in OS Inputs in Google Chrome on ChromeOS prior to 113.0.5672.63 allowed a remote attacker who convinced a user to enage in specific UI interaction to potentially exploit heap corruption via crafted UI interaction. (Chromium security severity: Medium) | May 7, 2023. 03:15:00 | [chromereleases.googleblog.com][crbug.com] |
| CVE-2023-29842 | ChurchCRM 4.5.4 endpoint /EditEventTypes.php is vulnerable to Blind SQL Injection (Time-based) via the EN_tyid POST parameter. | May 6, 2023. 20:15:00 | [github.com][github.com] |
| CVE-2015-10105 | A vulnerability, which was classified as critical, was found in IP Blacklist Cloud Plugin up to 3.42 on WordPress. This affects the function valid_js_identifier of the file ip_blacklist_cloud.php of the component CSV File Import. The manipulation of the argument filename leads to path traversal. It is possible to initiate the attack remotely. Upgrading to version 3.43 is able to address this issue. The name of the patch is 6e6fe8c6fda7cbc252eef083105e08d759c07312. It is recommended to upgrade the affected component. The identifier VDB-227757 was assigned to this vulnerability. | May 6, 2023. 03:15:00 | [github.com][vuldb.com] |
| CVE-2023-27035 | An issue discovered in Obsidian Canvas 1.1.9 allows remote attackers to send desktop notifications, record user audio and other unspecified impacts via embedded website on the canvas page. | May 6, 2023. 03:14:00 | [forum.obsidian.md][forum.obsidian.md] |
| CVE-2023-27108 | An issue was discovered in KaiOS 3.0. The pre-installed Communications application exposes a Web Activity that returns the user's call log without origin or permission checks. An attacker can inject a JavaScript payload that runs in a browser or app without user interaction or consent. This allows an attacker to send the user's call logs to a remote server via XMLHttpRequest or Fetch. | May 6, 2023. 03:14:00 | [gist.github.com][kaios.dev] |
| CVE-2023-2424 | A vulnerability was found in DedeCMS 5.7.106 and classified as critical. Affected by this issue is the function UpDateMemberModCache of the file uploads/dede/config.php. The manipulation leads to unrestricted upload. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-227750 is the identifier assigned to this vulnerability. | May 6, 2023. 03:13:00 | [vuldb.com][vuldb.com] |
| CVE-2023-2236 | A use-after-free vulnerability in the Linux Kernel io_uring subsystem can be exploited to achieve local privilege escalation. Both io_install_fixed_file and its callers call fput in a file in case of an error, causing a reference underflow which leads to a use-after-free vulnerability. We recommend upgrading past commit 9d94c04c0db024922e886c9fd429659f22f48ea4. | May 6, 2023. 03:13:00 | [kernel.dance][git.kernel.org] |
| CVE-2023-2248 | A heap out-of-bounds read/write vulnerability in the Linux Kernel traffic control (QoS) subsystem can be exploited to achieve local privilege escalation. The qfq_change_class function does not properly limit the lmax variable which can lead to out-of-bounds read/write. If the TCA_QFQ_LMAX value is not offered through nlattr, lmax is determined by the MTU value of the network device. The MTU of the loopback device can be set up to 2^31-1 and as a result, it is possible to have an lmax value that exceeds QFQ_MIN_LMAX. We recommend upgrading past commit 3037933448f60f9acb705997eae62013ecb81e0d. | May 6, 2023. 03:13:00 | [kernel.dance][git.kernel.org] |
Page 128 of 129
