CVEs Today
Latest Information on Common Vulnerabilities and Exposures (CVEs)
Last updated: May 31, 2023. 01:20:03
click on an item for more info;
| ID | Description | Modified | References |
|---|---|---|---|
| CVE-2022-24632 | An issue was discovered in AudioCodes Device Manager Express through 7.8.20002.47752. It is directory traversal during file download via the BrowseFiles.php view parameter. | May 29, 2023. 21:15:00 | [seclists.org] |
| CVE-2022-41766 | An issue was discovered in MediaWiki before 1.35.8, 1.36.x and 1.37.x before 1.37.5, and 1.38.x before 1.38.3. Upon an action=rollback operation, the alreadyrolled message can leak a user name (when the user has been revision deleted/suppressed). | May 29, 2023. 21:15:00 | [phabricator.wikimedia.org] |
| CVE-2023-32072 | Tuleap is an open source tool for end to end traceability of application and system developments. Tuleap Community Edition prior to version 14.8.99.60 and Tuleap Enterprise edition prior to 14.8-3 and 14.7-7, the logs of the triggered Jenkins job URLs are not properly escaped. A malicious Git administrator can setup a malicious Jenkins hook to make a victim, also a Git administrator, execute uncontrolled code. Tuleap Community Edition 14.8.99.60, Tuleap Enterprise Edition 14.8-3, and Tuleap Enterprise Edition 14.7-7 contain a patch for this issue. | May 29, 2023. 21:15:00 | [github.com][tuleap.net] |
| CVE-2023-32687 | tgstation-server is a toolset to manage production BYOND servers. Starting in version 4.7.0 and prior to 5.12.1, instance users with the list chat bots permission can read chat bot connections strings without the associated permission. This issue is patched in version 5.12.1. As a workaround, remove the list chat bots permission from users that should not have the ability to view connection strings. Invalidate any credentials previously stored for safety. | May 29, 2023. 21:15:00 | [github.com][github.com] |
| CVE-2022-24628 | An issue was discovered in AudioCodes Device Manager Express through 7.8.20002.47752. It is authenticated SQL injection in the id parameter of IPPhoneFirmwareEdit.php. | May 29, 2023. 21:15:00 | [seclists.org] |
| CVE-2022-24630 | An issue was discovered in AudioCodes Device Manager Express through 7.8.20002.47752. BrowseFiles.php allows a ?cmd=ssh POST request with an ssh_command field that is executed. | May 29, 2023. 21:15:00 | [seclists.org] |
| CVE-2022-24631 | An issue was discovered in AudioCodes Device Manager Express through 7.8.20002.47752. It is stored XSS via the ajaxTenants.php desc parameter. | May 29, 2023. 21:15:00 | [seclists.org] |
| CVE-2023-30253 | Dolibarr before 17.0.1 allows remote code execution by an authenticated user via an uppercase manipulation: <?PHP instead of <?php in injected data. | May 29, 2023. 21:15:00 | [www.swascan.com][github.com] |
| CVE-2021-3610 | A heap-based buffer overflow vulnerability was found in ImageMagick in versions prior to 7.0.11-14 in ReadTIFFImage() in coders/tiff.c. This issue is due to an incorrect setting of the pixel array size, which can lead to a crash and segmentation fault. | May 29, 2023. 21:15:00 | [bugzilla.redhat.com][github.com] |
| CVE-2022-24580 | ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2023-24580. Reason: This candidate is a duplicate of CVE-2023-24580. A typo caused the wrong ID to be used. Notes: All CVE users should reference CVE-2023-24580 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. | May 29, 2023. 20:15:00 | |
| CVE-2023-30571 | Libarchive through 3.6.2 can cause directories to have world-writable permissions. The umask() call inside archive_write_disk_posix.c changes the umask of the whole process for a very short period of time; a race condition with another thread can lead to a permanent umask 0 setting. Such a race condition could lead to implicit directory creation with permissions 0777 (without the sticky bit), which means that any low-privileged local user can delete and rename files inside those directories. | May 29, 2023. 20:15:00 | [groups.google.com][github.com] |
| CVE-2023-33796 | ** DISPUTED ** A vulnerability in Netbox v3.5.1 allows unauthenticated attackers to execute queries against the GraphQL database, granting them access to sensitive data stored in the database. NOTE: the vendor disputes this because the reporter's only query was for the schema of the API, which is public; queries for database objects would have been denied. | May 29, 2023. 20:15:00 | [github.com][github.com] |
| CVE-2019-19791 | In LemonLDAP::NG (aka lemonldap-ng) before 2.0.7, the default Apache HTTP Server configuration does not properly restrict access to SOAP/REST endpoints (when some LemonLDAP::NG setup options are used). For example, an attacker can insert index.fcgi/index.fcgi into a URL to bypass a Require directive. | May 29, 2023. 19:15:00 | [projects.ow2.org][gitlab.ow2.org] |
| CVE-2020-29547 | An issue was discovered in Citadel through webcit-926. Meddler-in-the-middle attackers can pipeline commands after POP3 STLS, IMAP STARTTLS, or SMTP STARTTLS commands, injecting cleartext commands into an encrypted user session. This can lead to credential disclosure. | May 29, 2023. 19:15:00 | [uncensored.citadel.org][uncensored.citadel.org] |
| CVE-2021-27825 | A directory traversal vulnerability on Mercury MAC1200R devices allows attackers to read arbitrary files via a web-static/ URL. | May 29, 2023. 19:15:00 | [www.mercurycom.com.cn][packetstormsecurity.com] |
| CVE-2021-37845 | An issue was discovered in Citadel through webcit-932. A meddler-in-the-middle attacker can fixate their own session during the cleartext phase before a STARTTLS command (a violation of "The STARTTLS command is only valid in non-authenticated state." in RFC2595). This potentially allows an attacker to cause a victim's e-mail messages to be stored into an attacker's IMAP mailbox, but depends on details of the victim's client behavior. | May 29, 2023. 19:15:00 | [uncensored.citadel.org][nostarttls.secvuln.info] |
| CVE-2022-32713 | ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during 2022. Notes: none. | May 29, 2023. 18:15:00 | |
| CVE-2022-32668 | ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during 2022. Notes: none. | May 29, 2023. 18:15:00 | |
| CVE-2022-32673 | ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during 2022. Notes: none. | May 29, 2023. 18:15:00 | |
| CVE-2022-32678 | ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during 2022. Notes: none. | May 29, 2023. 18:15:00 |
Page 12 of 129
